Malware Helps Hackers Track Prey: Coordinates Hunters

Cybercriminals using the malicious Smoke Loader have begun incorporating a new tool called Whiffy Recon into their attacks. This tool allows them to triangulate the location of infected devices using the Google geolocation API and scanning Wi-Fi.

The Google geolocation API is a service provided by Google that enables software developers to determine the location of devices by using data from the nearest Wi-Fi and cell tower access points.

By making HTTPS requests to this API, cybercriminals can obtain approximate latitude and longitude coordinates of a device, even if it is not equipped with GPS. This is particularly useful for applications that rely on user location information, such as maps and location-based services.

In the case of Whiffy Recon, knowing the location of the victim allows hackers to carry out more targeted attacks with precision up to the district level within a city. The accuracy of triangulation through the Google geolocation API ranges from 20 to 50 meters, depending on the number of Wi-Fi access points in the area. In less densely populated areas, the accuracy may be even higher.

Whiffy Recon is delivered to the victim’s device after it has been infected by the Smoke Loader dropper. Once on the device, Whiffy Recon begins by checking for the presence of a service called “Wlansvc” in the target system. If the service is absent, the program registers the bot on the command server and skips the scanning step.

On Windows systems where the “Wlansvc” service is present, Whiffy Recon initiates a Wi-Fi scanning cycle every minute. It abuses the WLAN API on Windows and uses Google HTTPS to obtain information about Wi-Fi access points in JSON format.

Using the coordinates provided in the Google response, the malicious program generates a comprehensive report on the access points. This report includes the access points’ geographical positions, encryption methods, and SSIDs. The report is then sent to the attacker’s C2 server as a JSON post-request.

Due to this process occurring every 60 seconds, attackers are able to track the compromised device almost in real time.

SecureWorks, who discovered this new malware in early August, suggest that hackers may use the location information to intimidate their victims, making them believe they are being watched and coercing them into complying with the attackers’ instructions.

Experts predict that Whiffy Recon will continue to evolve in the future, potentially leading to the release of new versions of the malware with expanded functionality.

/Reports, release notes, official announcements.