Whiffy Recon Malware Transmits Device Location Every 60 Seconds

Deployed by the infamous SmokeLoader botnet, the location-tracking malware could be used for a host of follow-on cyberattacks or even physical targeting.

Researchers have uncovered the Whiffy Recon malware being deployed by the
SmokeLoader botnet
, which is a customized Wi-Fi scanning executable for Windows systems that tracks the physical locations of victims.
Whiffy Recon takes its name from the pronunciation of Wi-Fi used in many European countries and Russia (wiffy instead of the American why fie). It seeks out Wi-Fi cards or dongles on compromised systems, and then scans for nearby Wi-Fi access points (APs) every 60 seconds, according to
a report this week from Secureworks Counter Threat Unit
.
It then triangulates the infected systems position by feeding the AP data into Googles geolocation API, and it then sends the location data back to an unknown adversary.
Rafe Pilling, director of threat research for the Secureworks Counter Threat Unit, says that while there is a 60-second scanning interval for APs, it is unclear whether each location is being stored or if its just most recent position transmitted.
It is possible that a worker carrying a laptop with Whiffy Recon on it
can be mapped
traveling between home and business locations, he says.
Drew Schmitt, lead analyst on GuidePoint Security Research and Intelligence Team (GRIT), says that insights into the movements of individuals may establish patterns in behavior or locations which may allow for more specific targeting to occur.
It could be used for tracking individuals belonging to a specific organization, government, or other entity, he says. Attackers could selectively deploy malware when the infected system is physically located in a sensitive location or at specific times that would give them a high probability of operational success and high impact.
Shawn Surber, senior director of technical account management at Tanium, points out the report does not specify a particular industry or sector as the primary target, but he adds, such data could be valuable for espionage, surveillance, or physical targeting.
He adds that this could indicate that state-sponsored or state-affiliated entities that engage in prolonged cyber-espionage campaigns are behind the campaign. For instance,
Irans APT35 in a recent campaign carried out location reconnaissance
of Israeli media targets, possibly in service to potential physical attacks according to researchers at the time.
Several APT groups are known for their interests in espionage, surveillance, and physical targeting, often driven by the political, economic, or military objectives of the nations they represent, he explains.
The infection routine starts with social engineering emails that carry a malicious zip archive. That turns out to be a polyglot file containing both a decoy document and a JavaScript file.
The JavaScript code is then used to execute the SmokeLoader malware, which, in addition to dropping malware onto an infected machine, registers the endpoint with a command-and-control (C2) server and adds it as a node within the SmokeLoader botnet.
As a result, SmokeLoader infections are persistent and can lurk unused on unwitting endpoints until a group has malware they want to deploy. Various threat actors buy access to the botnet, so the same SmokeLoader infection can be used in a wide array of campaigns.
It is common for us to observe multiple malware strains being delivered to a single SmokeLoader infection, Pilling explains. SmokeLoader is indiscriminate and traditionally used and operated by financially motivated cybercriminals.
Schmitt points out that given its as-a-service nature, its hard to tell who is ultimately behind any given
cyber campaign that uses SmokeLoader as an initial access tool
.
Depending on the loader, there could be up to 10 or 20 different payloads that could be selectively delivered to infected systems, some of which are related to ransomware and e-crime attacks while others have varying motivations, he says.
Since SmokeLoader infections are indiscriminate, the use of Whiffy Recon to gather geolocation data may be an effort to narrow and define targets for more surgical follow-on activity.
As this attack sequence continues to unfold, Schmitt says, it will be interesting to see how Whiffy Recon is used as a part of a larger post-exploitation chain.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Whiffy Recon Malware Transmits Device Location Every 60 Seconds