Researchers from Secureworks Counter Threat Unit (CTU) recently discovered a new strain of malware called Smoke Loader. This loader malware has been active for over a decade and is known for dropping additional payloads onto compromised Windows machines. In addition to Smoke Loader, the researchers also found a new payload called “Whiffy Recon” that uses Wi-Fi triangulation to determine the approximate location of infected systems.
Description
Whiffy Recon achieves its geolocation capabilities by scanning nearby Wi-Fi access points every 60 seconds and utilizing Google’s geolocation API. It specifically checks for the presence of the WLAN AutoConfig service on Windows machines to confirm wireless capability [2]. If the service name doesn’t exist [3] [4] [5] [8], Whiffy Recon terminates itself [7]. To achieve persistence [6], Whiffy Recon adds a shortcut to the Windows Startup folder.
The main code of the malware consists of two loops. One loop is responsible for registering with the command-and-control (C2) server, while the other loop performs Wi-Fi scanning [2]. If a specific file is not found in the %APPDATA%\Roaming*.* directory, the malware registers the compromised system with the C2 server through an HTTP POST request that includes a randomly generated “botID” in a JSON payload. Upon successful registration, the C2 server responds with a success message and a unique identifier that is saved in a file [3] [4].
The second loop of the malware is responsible for scanning Wi-Fi access points using the Windows WLAN API and sending the scan results to the Google Geolocation API via an HTTP POST request [2]. The obtained coordinates from the geolocation API are then sent to the C2 server in a more comprehensive JSON structure [2].
The purpose of this tracking activity is currently unclear, but it is speculated that it could potentially be used for intimidation tactics [1]. Smoke Loader has been detected targeting users in the US [1], UK [1], Germany [1], and France [1], often arriving through phishing email schemes [1].
Users can detect the presence of Whiffy Recon by looking for the creation of a wlan.lnk shortcut in the user’s Startup folder. However, it is important to note that data that has already been sent cannot be tracked or eliminated [1].
Conclusion
The regularity of the Wi-Fi scans and the ability to map the geolocation of infected devices raise concerns [8]. This type of activity is rarely observed among criminal actors [8], which further adds to the worrisome nature of its potential nefarious motivations.
Organizations are advised to use available controls and restrict access to Wi-Fi to mitigate the risk of infection. Additionally, users should remain vigilant against phishing email schemes and regularly update their security measures to protect against evolving malware threats. The discovery of Whiffy Recon highlights the need for ongoing research and development of effective countermeasures to combat the ever-changing landscape of cyber threats.
References
[1] https://me.pcmag.com/en/security/18955/new-malware-component-can-use-wi-fi-triangulation-to-determine-pcs-location
[2] https://www.secureworks.com/blog/smoke-loader-drops-whiffy-recon-wi-fi-scanning-and-geolocation-malware
[3] https://secoperations.wordpress.com/2023/08/25/new-whiffy-recon-malware-triangulates-infected-device-location-via-wi-fi-every-minute/
[4] https://www.443news.com/2023/08/new-whiffy-recon-malware-triangulates-infected-device-location-via-wi-fi-every-minute/
[5] https://www.redpacketsecurity.com/new-whiffy-recon-malware-triangulates-infected-device-location-via-wi-fi-every-minute/
[6] https://cybersec84.wordpress.com/2023/08/24/new-wi-fi-scanning-malware-whiffy-recon-tracks-devices-every-60-seconds/
[7] https://www.hackread.com/smoke-loader-botnet-whiffy-recon-malware/
[8] https://thehackernews.com/2023/08/new-whiffy-recon-malware-triangulates.html