Location Malware

The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called Whiffy Recon on compromised Windows machines.

"The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems' positions by scanning nearby Wi-Fi access points as a data point for Google's geolocation API," Secureworks Counter Threat Unit (CTU) said in a statement shared with The Hacker News. "The location returned by Google's Geolocation API is then sent back to the adversary."

SmokeLoader, as the name implies, is a loader malware whose sole purpose is to drop additional payloads onto a host. Since 2014, the malware has been offered for sale to Russian-based threat actors. It's traditionally distributed via phishing emails.


Whiffy Recon works by checking for the WLAN AutoConfig service (WLANSVC) on the infected system and terminating itself if the service name doesn't exist. It's worth noting that the scanner does not validate if it's operational.

Persistence is achieved by means of a shortcut that's added to the Windows Startup folder.

Location Malware

"What is concerning about our discovery of Whiffy Recon is the motivation for its operation is unclear," Don Smith, VP of threat intelligence at Secureworks CTU, said.

"Who, or what, is interested in the actual location of an infected device? The regularity of the scan at every 60 seconds is unusual, why update every minute? With this type of data a threat actor could form a picture of the geolocation of a device, mapping the digital to the physical."

The malware is also configured to register with a remote command-and-control (C2) server by passing along a randomly generated "botID" in an HTTP POST request, following which the server responds with a success message and a secret unique identifier that's subsequently saved in a file named "%APPDATA%\Roaming\wlan\str-12.bin."

The second phase of the attack involves scanning for Wi-Fi access points via the Windows WLAN API every 60 seconds. The results of the scan are forwarded to the Google Geolocation API to triangulate the system's whereabouts and ultimately transmit that information to the C2 server in the form of a JSON string.

"This kind of activity/capability is very rarely used by criminal actors," Smith added. "As a standalone capability it lacks the ability to quickly monetise. The unknowns here are worrying and the reality is that it could be used to support any number of nefarious motivations."

The development comes as multiple security issues have been disclosed in the TP-Link Tapo L530E smart bulb that could be exploited by malicious actors to retrieve user passwords, manipulate the devices, and even steal a victim's Wi-Fi SSID and password should the attacker be within the range of the smart bulb. TP-Link has released new firmware to address the issues.

It also follows the discovery of a new attack technique dubbed TunnelCrack, which leverages two security issues named LocalNet and ServerIP, to leak traffic outside a protected VPN tunnel when connecting to an untrusted Wi-Fi network or a rogue ISP, thereby exposing users to adversary-in-the-middle (AitM) scenarios.

"The attacks manipulate the victim's routing table to trick the victim into sending traffic outside the protected VPN tunnel, allowing an adversary to read and intercept transmitted traffic," a group of researchers from KU Leuven, NYU, and NYU Abu Dhabi said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.