'Whiffy Recon' Malware Transmits Device Location Every 60 Seconds

Researchers have uncovered the "Whiffy Recon" malware being deployed by the SmokeLoader botnet, which is a customized Wi-Fi scanning executable for Windows systems that tracks the physical locations of victims.

Whiffy Recon takes its name from the pronunciation of Wi-Fi used in many European countries and Russia ("wiffy" instead of the American "why fie"). It seeks out Wi-Fi cards or dongles on compromised systems, and then scans for nearby Wi-Fi access points (APs) every 60 seconds, according to a report this week from Secureworks Counter Threat Unit.

It then triangulates the infected system's position by feeding the AP data into Google's geolocation API, and it then sends the location data back to an unknown adversary.

Geolocation Data for Follow-on Attacks

Rafe Pilling, director of threat research for the Secureworks Counter Threat Unit, says that while there is a 60-second scanning interval for APs, it is unclear whether each location is being stored or if it's just most recent position transmitted.

"It is possible that a worker carrying a laptop with Whiffy Recon on it can be mapped traveling between home and business locations," he says.

Drew Schmitt, lead analyst on GuidePoint Security Research and Intelligence Team (GRIT), says that insights into the movements of individuals may establish patterns in behavior or locations which may allow for more specific targeting to occur.

"It could be used for tracking individuals belonging to a specific organization, government, or other entity," he says. "Attackers could selectively deploy malware when the infected system is physically located in a sensitive location or at specific times that would give them a high probability of operational success and high impact."

Shawn Surber, senior director of technical account management at Tanium, points out the report does not specify a particular industry or sector as the primary target, but he adds, "such data could be valuable for espionage, surveillance, or physical targeting."

He adds that this could indicate that state-sponsored or state-affiliated entities that engage in prolonged cyber-espionage campaigns are behind the campaign. For instance, Iran's APT35 in a recent campaign carried out location reconnaissance of Israeli media targets, possibly in service to potential physical attacks according to researchers at the time.

"Several APT groups are known for their interests in espionage, surveillance, and physical targeting, often driven by the political, economic, or military objectives of the nations they represent," he explains.

SmokeLoader: An Attribution Smokescreen

The infection routine starts with social engineering emails that carry a malicious zip archive. That turns out to be a polyglot file containing both a decoy document and a JavaScript file.

The JavaScript code is then used to execute the SmokeLoader malware, which, in addition to dropping malware onto an infected machine, registers the endpoint with a command-and-control (C2) server and adds it as a node within the SmokeLoader botnet.

As a result, SmokeLoader infections are persistent and can lurk unused on unwitting endpoints until a group has malware they want to deploy. Various threat actors buy access to the botnet, so the same SmokeLoader infection can be used in a wide array of campaigns.

"It is common for us to observe multiple malware strains being delivered to a single SmokeLoader infection," Pilling explains. "SmokeLoader is indiscriminate and traditionally used and operated by financially motivated cybercriminals."

Schmitt points out that given its as-a-service nature, it's hard to tell who is ultimately behind any given cyber campaign that uses SmokeLoader as an initial access tool.

"Depending on the loader, there could be up to 10 or 20 different payloads that could be selectively delivered to infected systems, some of which are related to ransomware and e-crime attacks while others have varying motivations," he says.

Since SmokeLoader infections are indiscriminate, the use of Whiffy Recon to gather geolocation data may be an effort to narrow and define targets for more surgical follow-on activity.

"As this attack sequence continues to unfold," Schmitt says, "it will be interesting to see how Whiffy Recon is used as a part of a larger post-exploitation chain."