A malware campaign known as “Whiffy Recon” has been discovered by researchers, which is being deployed by the SmokeLoader botnet. Whiffy Recon is a specialized Wi-Fi scanning executable for Windows systems that tracks the physical locations of its victims. The malware takes its name from the European and Russian pronunciation of Wi-Fi as “wiffy,” as opposed to the American pronunciation of “why fie.” It specifically targets Wi-Fi cards or dongles on compromised systems and scans for nearby Wi-Fi access points (APs) every 60 seconds.
According to a report from Secureworks Counter Threat Unit, Whiffy Recon triangulates the infected system’s position by utilizing the AP data and Google’s geolocation API. It then sends the collected location data back to an unidentified adversary. While it is unclear whether each location is being stored or if only the most recent position is transmitted, Rafe Pilling, director of threat research for the Secureworks Counter Threat Unit, warns that a worker carrying a laptop with Whiffy Recon installed could be tracked while traveling between home and business locations.
Drew Schmitt, lead analyst on GuidePoint Security Research and Intelligence Team (GRIT), explains that insights into the movements of individuals can establish patterns in behavior or locations, which may allow for more specific targeting to occur. Attackers could selectively deploy malware when the infected system is physically located in sensitive locations or during specific times to increase the probability of operational success and impact. Thus, Whiffy Recon could potentially be used to track individuals belonging to specific organizations, governments, or other entities.
Shawn Surber, senior director of technical account management at Tanium, points out that the report does not specify a particular industry or sector as the primary target of the SmokeLoader botnet. However, he suggests that the collected geolocation data could be valuable for activities such as espionage, surveillance, or physical targeting. Surber also notes that this could indicate the involvement of state-sponsored or state-affiliated entities known for their interests in espionage and surveillance.
The SmokeLoader malware, which deploys Whiffy Recon, is primarily distributed through social engineering emails that contain a malicious zip archive. This archive includes both a decoy document and a JavaScript file. The JavaScript code is used to execute SmokeLoader, which not only drops malware onto the infected machine but also registers the endpoint with a command-and-control (C2) server and adds it as a node within the SmokeLoader botnet.
Due to its as-a-service nature, it is challenging to determine the ultimate perpetrators behind cyber campaigns that utilize SmokeLoader. Various threat actors purchase access to the botnet, allowing the same SmokeLoader infection to be used in multiple campaigns. The malware is indiscriminate and commonly used by financially motivated cybercriminals. As a result, multiple malware strains can be delivered to a single SmokeLoader infection, some of which are related to ransomware, e-crime attacks, or have other motivations.
Given the indiscriminate nature of SmokeLoader infections, the use of Whiffy Recon to gather geolocation data may serve as an effort to narrow down and define targets for more precise follow-on activity. As the attack sequence continues to unfold, experts are interested in seeing how Whiffy Recon will be utilized as part of a larger post-exploitation chain. The ongoing investigation aims to gain a deeper understanding of the intentions behind this malware campaign and the potential threats it poses to organizations and individuals alike.