Cyber Security Threat Summary:
Researchers from Secureworks Counter Threat Unit (CTU) have identified a new Wi-Fi scanning malware named Whiffy Recon, which has been dropped by the Smoke Loader botnet. This malicious code employs nearby Wi-Fi access points as reference points for Google's geolocation API to triangulate the positions of infected systems. The scan results are structured as JSON data and sent via an HTTPS POST request to Google's Geolocation API, yielding coordinates that are further detailed with information about the encryption methods used by the identified access points. The malware's functionality is divided into two loops: one registers the bot with the C2 server, while the other scans Wi-Fi access points using the Windows WLAN API, repeating every 60 seconds” (BleepingComputer).

Security Officer Comments:
The malware establishes persistence by creating a wlan.lnk shortcut in the user's Startup folder. The malware's purpose and the motivations of its operators remain unclear. The real-world implications could involve tracking compromised systems, possibly for intimidation or coercive purposes, “Because the Wi-Fi scanning occurs every 60 seconds and is enriched with geolocation data, it could allow the threat actors to track the compromised system. It is unclear how the threat actors use this data. Demonstrating access to geolocation information could be used to intimidate victims or pressure them to comply with demands.”

Suggested Correction(s):
Mitigating botnets requires a multi-layered approach that combines proactive measures to prevent infections, ongoing monitoring to detect and respond to botnet activity, and swift remediation strategies.

Link(s):
https://securityaffairs.com/149854/malware/whiffy-recon-malware.html