KEY FINDINGS
- A new custom, Wi-Fi scanning payload called Whiffy Recon has been detected.
- Whiffy Recon is used by the Smoke Loader botnet to infect compromised devices.
- Whiffy Recon triangulates the positions of infected devices using nearby Wi-Fi access points.
- Whiffy Recon then uses the Google Geolocation API to get the device’s coordinates.
- Whiffy Recon creates a wlan.Ink shortcut in the Startup folder to maintain persistence on the device.
- The purpose of obtaining this information is unclear, but researchers suspect that it could be used to intimidate victims or pressure them to comply with demands.
The cybersecurity researchers at Secureworks have detected a new custom, Wi-Fi scanning payload that they have named Whiffy Recon. The malicious executable hunts for the geolocation of compromised systems – In the case of Whiffy Recon malware, the targeted devices are Windows based.
Secureworks’ Counter Threat Unit has shared details of a brand-new Smoke Loader botnet that infects compromised devices with a custom Wi-Fi scanning executable. They observed this malicious activity on 8th August 2023.
For your information, Smoke Loader, also known as Dofoil, is a type of botnet malware that is often used to deliver various payloads to compromised computers. It’s categorized as a downloader and is commonly associated with the distribution of other types of malware, such as banking Trojans, ransomware, and cryptocurrency miners.
Previously, in April 2019, the Smoke Loader botnet was found spreading a banking trojan to steal $4.6 million from victims. Another campaign exposed in July 2018, saw the use of the botnet to drop the Kronos banking trojan against unsuspecting victims.
As for the latest campaign; Whiffy Recon malware triangulates the positions of infected devices using any nearby Wi-Fi access points as its data point to access Google geolocation API. For your information, the Google Geolocation service triangulates a system’s location and returns coordinates using the mobile network and Wi-Fi access points data.
According to Secureworks’ blog post, the payload starts its operation by scanning for the WLANSVC service on the compromised device. This is performed to confirm the Windows-based device has a wireless capability and exits if it isn’t present. It must be noted that Whiffy Recon only scans for the feature’s presence and not whether it is working or not.
It maintains persistence on the device by creating the wlan.Ink shortcut in the Startup folder that points to the Whiffy Recon malware’s exact location on the system. The malware’s main code has two loops- one of these registers the bot with the attacker’s C2 server and the other scans for Wi-Fi capability using the Windows WLAN API.
The second loop runs repeatedly with 60-second intervals to keep obtaining geolocation data. The scanning results are mapped to a JSON structure, which is transmitted to the Google Geolocation API through an HTTP Post request.
This information is then mapped to another JSON structure that contains information about every wireless access point present in that area, and the encryption methods these use.
What’s the purpose behind obtaining this information is still unclear to researchers. However, they suspect that attackers might want to “intimidate victims or pressure them to comply with demands.” Secureworks researchers urge organizations to use available controls and restrict access to Wi-Fi.