SmokeLoader Trojan Deploys Location-Tracking Malware'Whiffy Recon' Uses Wi-Fi Access Points, Google API for Geolocation
A backdoor Trojan known as SmokeLoader is deploying a customized WI-FI scanning executable to triangulate the location of infected Windows devices.
The malware, dubbed "Whiffy Recon," uses nearby Wi-Fi access points as a data point for Google's geolocation API.
The malware scans for a Wi-Fi every 60 seconds and captures geolocation data that could allow threat actors to track the compromised system, according to a report by the researchers at cybersecurity firm Secureworks, who uncovered the novel malware on Aug. 8.
"It is unclear how the threat actors use this data. Demonstrating access to geolocation information could be used to intimidate victims or pressure them to comply with demands," researchers said.
Google's geolocation API is a service that accepts an HTTPS request with the cell tower and Wi-Fi access points that a mobile client can detect and returns latitude-longitude coordinates.
The malware checks for the WLANSVC service on the compromised system that indicates the presence of a wireless capability on a Windows system.
"The malware only checks for the service name and does not confirm the service is operational. If the service name does not exist, then the scanner exits. Whiffy Recon persists on the system by creating the wlan.lnk shortcut in the user's Startup folder. This link points to the original location of the downloaded Whiffy Recon malware," according to researchers.
SmokeLoader is the name for a large family of Trojans around since 2011 that can be used to load malware but also have plugins for information exfiltration. Mitre called the malware "notorious for its use of deception and self-protection."
In July, Ukrainian cyber defenders said a financially motivated threat actor known as UAC-0006 was intensifying efforts to entice users into installing SmokeLoader (see: SmokeLoader Campaign Intensifying, Ukrainian CERT Warns).
The State Service of Special Communications and Information Protection of Ukraine said the malware had the second-highest number of detections domestically during in the months of May and June.
Researchers said the malware code runs as two different loops, one registers the bot with the command-and-control server and the second performs Wi-Fi scanning.
The first looks for a file named
%APPDATA%wlanstr-12.bin in an infected system. It recursively scans the
%APPDATA%Roaming*.* directory until it locates the
"It is unclear why it searches the entire directory when it creates the file in a specific location," the researchers said.
If the file exists and contains valid parameters, the malware proceeds to the second loop to perform Wi-Fi scanning. If the file does not exist, it registers the infected device with the C2 server via a JSON payload in an HTTPS POST request.
The HTTP headers include an authorization field containing a hard-coded universal unique identifier. It contains three parameters, a randomly generated UUID for the botId that identifies the system, a type set to "COMPUTER" and a version number of "1."
Researchers said that version number indicates plans for further development.
Once the registration is successful, the C2 server responds with a JSON message about the success, and a "secret" field contains a UUID used instead of the hard-coded authorization UUID.
"The botId UUID and the secret UUID are stored in the str-12.bin file, which is dropped in the %APPDATA%Roamingwlan folder and used for future POST requests," the researchers said.
Upon identifying the botId and secret key, Whiffy Recon's second loop scans for Wi-Fi access points via the Windows WLAN API, which runs every 60 seconds.
The results from the scans are mapped to a JSON structure and sent to Google's geolocation API via an HTTPS POST request. The malware code also includes a hard-coded URL that threat actors use to query the API, researchers said.
"These coordinates are then mapped to a more comprehensive JSON structure that contains detailed information about each wireless access point found in the area. This data identifies the encryption methods used by the access points," the researchers said.