Whiffy Recon Malware Uncovers Wi-Fi Location of Windows Machines
The discovery of Whiffy Recon malware has brought to light a concerning development in the world of cybersecurity. This malware, delivered through SmokeLoader, a loader malware primarily used to drop additional payloads onto compromised Windows machines, poses a significant threat.
Whiffy Recon's modus operandi is unique. It operates by scanning nearby Wi-Fi access points every 60 seconds, using the data it gathers as a reference point for Google's geolocation API. The location information retrieved from this API is then sent back to malicious actors, allowing them to pinpoint the infected system's location.
SmokeLoader, as its name suggests, is primarily a loader malware. Its primary function is to facilitate the delivery of other malware onto a host. Since 2014, it has been available for sale to Russian-based threat actors and is often distributed through phishing emails.
The Intricate Operations of Whiffy Recon
Whiffy Recon is programmed to seek out the WLAN AutoConfig service (WLANSVC) on infected systems. If it doesn't find this service, it terminates itself. It's important to note that the scanner does not validate whether the service is operational or not.
To ensure persistence, Whiffy Recon adds a shortcut to the Windows Startup folder. Additionally, it registers with a remote command-and-control (C2) server by sending a randomly generated "botID" in an HTTP POST request. In response, the server sends a success message and a unique identifier, which is then stored in a file named "%APPDATA%\Roaming\wlan\str-12.bin."
The second phase of the attack involves continuous scanning for Wi-Fi access points using the Windows WLAN API. These scan results are then forwarded to the Google Geolocation API, enabling the triangulation of the infected system's location. This information is subsequently transmitted to the C2 server in the form of a JSON string.
Understanding how Whiffy Recon operates is crucial to combatting its threat. This section dissects the malware's functionality, from its initiation and persistence mechanisms to its reconnaissance activities, offering insights into its techniques for locating Windows machines through nearby Wi-Fi access points and transmitting this data to malicious actors.