A new variant of malware known as Whiffy Recon is being deployed via the SmokeLoader loader malware on compromised Windows systems. This new strain’s primary function is to conduct geolocation scans every minute by triangulating the infected device’s position through nearby Wi-Fi access points, utilizing Google’s geolocation API for accuracy.
According to the Secureworks Counter Threat Unit (CTU), this functionality feeds back the device’s location to the attackers. “The location provided by the Google Geolocation API is subsequently transmitted back to the threat actor,” a CTU report states. SmokeLoader, itself a loader malware for dropping additional payloads, has been sold since 2014, primarily targeting Russian threat actors through phishing campaigns.
Whiffy Recon implements checks for the WLAN AutoConfig service (WLANSVC) on the compromised system, ceasing operations if the service is absent. Interestingly, the malware doesn’t confirm if the service is functioning, which raises questions about its operational effectiveness.
To ensure persistence, Whiffy Recon creates a shortcut in the Windows Startup folder, enabling its reactivation upon system restarts. Don Smith, VP of threat intelligence at Secureworks CTU, voiced apprehension regarding the elusive motivations behind the malware’s geolocation monitoring. He posed critical questions about the specific interests in tracked locations and the unusual frequency of scans every 60 seconds.
This malware communicates with a remote command-and-control (C2) server using a randomly generated “botID” through an HTTP POST request. Upon registration, the server issues a success message along with a unique identifier stored in a local file. The malware subsequently executes its primary scanning operation every minute using the Windows WLAN API, transmitting the acquired data to the C2 server in a JSON format.
Smith remarked on the atypical nature of such capabilities among criminal actors, noting their lack of immediate commercial application yet indicating potential links to diverse malicious motives. As concerns grow, this development aligns with recent vulnerabilities discovered in other systems, such as the TP-Link Tapo L530E smart bulb, which could allow attackers to capture sensitive user data if within range.
Moreover, the emergence of TunnelCrack, a sophisticated attack technique designed to exploit security flaws in VPN connections, underscores the escalating complexity of cybersecurity threats. By manipulating routing tables, this method enables adversaries to intercept traffic outside secure tunnels, exposing users to potential data breaches.
