Researchers from Secureworks Counter Threat Unit (CTU) have discovered a new malware called Whiffy Recon [2] [8]. This malware is found on compromised Windows machines that were previously infected with the SmokeLoader botnet [3]. Whiffy Recon is a customized Wi-Fi scanning executable for Windows systems that tracks the physical locations of its victims by scanning for nearby Wi-Fi access points [6] [7].

Description

Whiffy Recon utilizes Google’s geolocation API to triangulate the infected systems’ positions and maps the coordinates to a JSON structure containing detailed information about each wireless access point in the area, including encryption methods used [2]. To maintain persistence [2] [5], the malware adds a shortcut to the Windows Startup folder. It checks for the presence of the WLANSVC service on compromised Windows systems [4] [8], but does not confirm if the service is operational [4]. If the service does not exist [1] [4] [8], the scanner exits [4].

The main code of the malware runs in two loops. One loop registers the bot with the C2 server [2] [4] [5] [8], while the other performs Wi-Fi scanning every 60 seconds using the Windows WLAN API. The scan results are then sent to a remote command-and-control server controlled by the threat actor [3].

The purpose of obtaining this information is unclear [5], but it is suspected that it could be used to intimidate victims or pressure them to comply with demands [5]. Organizations are advised to review and restrict access using the indicators provided to mitigate exposure to this malware [8].

Conclusion

The discovery of Whiffy Recon highlights the ongoing threat of malware targeting Windows systems. Its ability to track victims’ physical locations through Wi-Fi scanning raises concerns about privacy and potential misuse of this information. Organizations should take immediate steps to review and restrict access using the indicators provided to minimize the risk of exposure to this malware. Additionally, further research and analysis are needed to fully understand the motivations and potential impacts of this malware, as well as to develop effective mitigation strategies.

References

[1] https://thehackernews.com/2023/08/new-whiffy-recon-malware-triangulates.html
[2] https://www.jsplaces.com/security-affairs/25/08/2023/whiffy-recon-malware-triangulates-the-position-of-infected-systems-via-wi-fi/
[3] https://fieldeffect.com/blog/creepy-whiffy-recon-malware-gives-hackers-victim-location
[4] https://www.scoop.co.nz/stories/SC2308/S00043/smoke-loader-drops-whiffy-recon-wi-fi-scanning-and-geolocation-malware.htm
[5] https://www.hackread.com/smoke-loader-botnet-whiffy-recon-malware/
[6] https://www.threatshub.org/blog/whiffy-recon-malware-transmits-device-location-every-60-seconds/
[7] https://www.darkreading.com/attacks-breaches/whiffy-recon-malware-transmits-device-location-every-60-seconds
[8] https://itwire.com/guest-articles/guest-research/smoke-loader-drops-whiffy-recon-wi-fi-scanning-and-geolocation-malware.html