Cybersecurity researchers at Secureworks have recently discovered a new custom, Wi-Fi scanning payload called Whiffy Recon. This malicious executable is used by the Smoke Loader botnet to infect compromised devices, specifically those running on Windows operating systems. The researchers from Secureworks’ Counter Threat Unit detected this activity on August 8, 2023.
Smoke Loader, also known as Dofoil, is a type of botnet malware that is commonly used to deliver various payloads to compromised computers. It is classified as a downloader and is often associated with the distribution of other types of malware, such as banking Trojans, ransomware, and cryptocurrency miners. In a previous incident in April 2019, the Smoke Loader botnet was found spreading a banking Trojan that resulted in the theft of $4.6 million from victims. Another campaign in July 2018 involved the use of the botnet to drop the Kronos banking Trojan on unsuspecting victims.
The Whiffy Recon malware works by triangulating the positions of infected devices using nearby Wi-Fi access points. It then leverages the Google Geolocation API to obtain the coordinates of the compromised device. The Google Geolocation service utilizes data from mobile networks and Wi-Fi access points to determine the location of a system.
According to Secureworks’ blog post, the payload initiates its operation by scanning for the WLANSVC service on the compromised device to confirm the presence of wireless capability. If this feature is not present, the malware exits. To maintain persistence on the device, Whiffy Recon creates a shortcut called wlan.Ink in the Startup folder, pointing to the exact location of the malware on the system. The malware’s main code consists of two loops: one registers the bot with the attacker’s C2 server, while the other continually scans for Wi-Fi capability using the Windows WLAN API.
The second loop runs at 60-second intervals to consistently obtain geolocation data. The scanning results are then mapped to a JSON structure and transmitted to the Google Geolocation API through an HTTP Post request. This information is further mapped to another JSON structure, containing details about the wireless access points present in the area, including their encryption methods.
The purpose behind obtaining this location-based information remains unclear. However, researchers suspect that attackers may have intentions to intimidate victims or pressure them to comply with certain demands. To mitigate the risk associated with this type of attack, Secureworks researchers recommend that organizations utilize available controls and restrict access to Wi-Fi.
In related news, a study revealed that individuals belonging to Generation Z are the least likely to share their location data with the government. This finding suggests a growing concern among younger individuals regarding the privacy and security of their personal information. Additionally, a researcher exposed how a US firm collected his location data without his knowledge or consent, highlighting the potential for misuse of personal information by organizations. In a separate incident, WikiLeaks exposed the CIA’s use of Linux hacking and geolocation tracker malware, shedding light on the agency’s tactics in exploiting technology for surveillance purposes.
As the threat landscape continues to evolve, it is crucial for individuals and organizations to remain vigilant and take necessary precautions to protect their devices and data from malicious actors.