‘Whiffy Recon’ Malware Transmits Device Location Every 60 Seconds
August 25, 2023 – Published on Dark Reading
Researchers have uncovered the “Whiffy Recon” malware being deployed by the SmokeLoader botnet, which is a customized Wi-Fi scanning executable for Windows systems that tracks the physical locations of victims.
Whiffy Recon takes its name from the pronunciation of Wi-Fi used in many European countries and Russia (“wiffy” instead of the American “why fie”). It seeks out Wi-Fi cards or dongles on compromised systems, and then scans for nearby Wi-Fi access points (APs) every 60 seconds and then triangulates the infected system’s position by feeding the AP data into Google’s geolocation API, and it then sends the location data back to an unknown adversary.
Drew Schmitt, lead analyst on GuidePoint Security Research and Intelligence Team (GRIT), says that insights into the movements of individuals may establish patterns in behavior or locations which may allow for more specific targeting to occur.
“It could be used for tracking individuals belonging to a specific organization, government, or other entity,” he says. “Attackers could selectively deploy malware when the infected system is physically located in a sensitive location or at specific times that would give them a high probability of operational success and high impact.”