Whiffy Recon Malware: Exploiting WiFi for Location Triangulation

The operators behind the Smoke Loader botnet have unleashed a new strain of malware known as Whiffy Recon, leveraging WiFi scanning and Google’s geolocation API to pinpoint the whereabouts of infected devices.

Google’s geolocation API is a service that processes HTTPS requests containing WiFi access point data, returning precise latitude and longitude coordinates even for devices lacking GPS functionality.

Smoke Loader, a modular malware dropper with a history spanning several years, has traditionally been employed in the initial phases of a breach to facilitate the delivery of fresh payloads.

In the case of Whiffy Recon, discerning the victim’s location can furnish attackers with tools to execute more targeted assaults within specific regions or urban zones, and even wield the location-tracking capability for intimidation purposes.

Accuracy in triangulation via Google’s geolocation API hinges on the density of WiFi access points in the vicinity, typically ranging from 20 to 50 meters (65-165ft) or less, a metric that may increase in sparsely populated areas.

Initially, the malware verifies the existence of the ‘WLANSVC’ service, bypassing the scanning step if the service is absent and proceeding to register the bot with the command and control (C2) server.

For Windows systems featuring this service, Whiffy Recon initiates a recurring WiFi scanning loop scheduled every minute. It exploits the Windows WLAN API to gather essential data, forwarding WiFi access point specifics in JSON format through HTTPS POST requests to Google’s geolocation API.

The coordinates furnished by Google’s response enable the malware to formulate a comprehensive report, encompassing geographic coordinates, encryption methods, and SSID details of the access points. This report is then dispatched to the threat actor’s C2 in the form of a JSON POST request.

Due to this rapid 60-second cycle, the malware could potentially facilitate near-real-time tracking of the compromised device.

Researchers from Secureworks, who discovered this innovative malware variant on August 8, speculate that hackers might leverage geolocation data to intimidate victims, coercing them into compliance.

Notably, the malware employs a version number “1” in its initial POST request to the C2. This numerical choice might suggest the malware’s developmental phase, hinting at the author’s intentions to introduce enhancements or new functionalities in subsequent iterations.