In the ever-evolving landscape of cybercrime, a novel threat has emerged in the form of “Whiffy Recon.” This malware, harnessed by the operators of the Smoke Loader botnet, represents a sophisticated fusion of WiFi scanning and Google’s geolocation API.
By leveraging this combination, cybercriminals can meticulously triangulate the positions of compromised devices. This capability holds significant implications, as it empowers attackers to target specific regions or urban areas with greater precision, or even exploit the acquired location data for intimidation purposes.The core of Whiffy Recon’s operation revolves around its exploitation of Google’s geolocation API. This service adeptly transforms WiFi access point information into latitude and longitude coordinates, even for devices devoid of GPS systems.
This enables attackers to not only identify the general vicinity of compromised devices but also potentially intimidate victims by showcasing their tracking capabilities. The accuracy of triangulation, which ranges from 20 to 50 meters and higher, hinges on the density of WiFi access points in a given area.
Upon detecting the presence of the “WLANSVC” service on a Windows system, Whiffy Recon initiates a WiFi scanning loop every minute. This loop accumulates the necessary data, packaging it into HTTPS POST requests containing JSON-formatted WiFi access point details.
This data is then dispatched to Google’s geolocation API, enabling the malware to extract precise coordinates. Subsequently, these coordinates are integrated into comprehensive reports, encompassing geographic position, SSID, encryption method, and more. This information is transmitted to the malware’s command and control server, potentially allowing cybercriminals to track compromised devices nearly in real time.
Secureworks researchers, who unearthed this threat, suggest that hackers might exploit the geolocation data to pressure victims into compliance. This new malware’s usage of version “1” in its initial communication with the command and control server hints at its developmental stage, leaving room for the incorporation of refinements and additional capabilities.
The convergence of WiFi scanning and geolocation services highlights the increasingly sophisticated tactics employed by cybercriminals to extract data and exert control over their victims’ devices.