Smoke Loader Uses New Whiffy Recon Malware To Triangulate Device Locations

Researchers have found the Smoke Loader botnet deploying new malware in recent campaigns. Identified as Whiffy Recon, the malware triangulates the target devices’ locations via WiFi scanning and Google’s geolocation API, putting the victim users’ personal security at risk.

Whiffy Recon Malware Triangulates Locations Via WiFi Scanning

As elaborated in a recent post, researchers from Secureworks have caught a new malware campaign from the Smoke loader botnet.

Smoke Loader is a known botnet that has been actively running malware campaigns for years, targeting businesses across different sectors. In the recent campaign, the threat actors behind this botnet have used a new malware that the researchers named as “Whiffy Recon”. The malware is named according to its location triangulation capability by scanning WiFi and Google geolocation API.

Briefly, after reaching the target system, the malware looks for the WLANSVC service (on Windows systems) to detect wireless capabilities. If detected, the malware continues further activities, even if the service isn’t active. Otherwise, it exits the systems if the service is not found.

Next, the malware establishes its connection with the C&C server, performs WiFi scanning, and registers the system with the C2. Once done, the malware starts scanning the WiFi access points at a 60-second interval and sends the mapped scan results to the Google Geolocation API for location triangulation.

In this way, gathering the coordinates for each WiFi access point and enriching the data with prompt scanning every minute, the malware empowers the threat actors to gather precise data about the victims’ locations. They can then use this data to intimidate the victims for any malicious purposes in the future.

The researchers have shared a detailed technical analysis of this malware campaign in their post.

Given the malware’s sneaky functionality, the researchers warn the organizations to remain vigilant. Specifically, they advise organizations to consider restricting access using the indicators shared in their post. Besides, organizations should also conduct regular security scans to detect any malicious activity in time and avoid damage.

Let us know your thoughts in the comments.

Related posts

Apple Addressed Two Zero-Day Flaws In Intel-based Macs

Really Simple Security Plugin Flaw Risks 4+ Million WordPress Websites

Glove Stealer Emerges A New Malware Threat For Browsers