Whiffy Recon Malware Uses Wi-Fi to Track Infected Devices’ Locations

Researchers at Secureworks have discovered that the hackers behind the Smoke Loader botnet are using a new malware called Whiffy Recon to triangulate the location of infected devices using Wi-Fi and Google’s Geolocation API.

The Google Geolocation API is a service that accepts HTTPS requests containing information about nearby Wi-Fi access points and returns latitude and longitude data, allowing the location of devices without built-in GPS to be determined. Depending on the number of available Wi-Fi points, the accuracy of Google’s triangulation can range from 20 to 50 meters, though this can vary in less densely populated areas.

Smoke Loader has been around for several years and is a modular dropper, mainly used in the early stages of an attack to deliver additional payloads. Experts believe that Whiffy Recon’s ability to determine a victim’s location could help attackers focus their efforts on specific regions or even city districts. It’s also possible that the collected information could be used to intimidate victims by demonstrating the hackers’ ability to track their whereabouts.

How Whiffy Recon Works

First, the malware checks for the existence of the WLANSVC service. If it doesn’t find this service, the malware registers itself with its command-and-control server and skips the scanning phase.

On Windows systems where this service is present, Whiffy Recon starts a scanning loop that runs every minute. It uses the Windows WLAN API to gather the necessary data and sends HTTPS POST requests with information about Wi-Fi access points in JSON format to Google’s Geolocation API.

Using the coordinates returned by Google, the malware compiles a full report on the access points, including their geographic location, encryption method, and SSID, and sends this information to its command-and-control server as a JSON POST request.

Because scans are performed every 60 seconds, attackers can track the infected device almost in real time.

“With the discovery of Whiffy Recon, we are concerned about the unclear motivation behind its operation. Who is interested in tracking the location of an infected device in real time, and why? The scan frequency of every 60 seconds is also unusual—why update the data every minute? With this information, an attacker can build a picture of the device’s geolocation by matching digital data with physical locations,” Secureworks researchers note. “Such methods are rarely used by criminals. This functionality doesn’t offer quick monetization opportunities. The uncertainty is troubling.”