3 min Security

Hackers figure out your computer’s location via malware Whiffy Recon

Hackers figure out your computer’s location via malware Whiffy Recon

Hackers can accurately determine your location with the new malware Whiffy Recon. The data can potentially be used as leverage to let victims fulfil the hacker’s wishes.

The new malware Whiffy Recon searches for a computer’s location. Researchers from Secureworks first encountered the malware in the Smoke Loader botnet.

Malware for botnets

The malware was developed for computers that are already infected. The set of devices infected by the same malware family is also called a botnet. As users, there is no way to find out if devices in your possession are related to such a botnet.

Authorities recently succeeded in destroying the largest global botnet ‘Qakbot’. This operation makes about 700,000 computers no longer vulnerable to the new malware Whiffy Recon.

So, through other botnets, the malware can still do damage, and it already appears to be doing that currently through Smoke Loader. In this malware, the initial infection happens through a phishing message containing a malicious zip file.

Google Geolocation API helps

The malware currently only targets Windows devices. The operating system possesses Wireless AutoConfig Service (WLANSVC) that hackers can abuse to connect to the nearest routers via Wi-Fi. WLANSVC is used to verify whether the infected device has a Wi-Fi connection. Once that is assured, the malware will scan for Wi-Fi routers every minute.

With the data obtained from the scan, the hackers can find out the exact location of the infected device. To do this, they upload the data to the Google Geolocation API. This service accurately determines the location through a combination of Wi-Fi access points and transmission towers.

Threat and entry search

In repeating the scan every minute, the malware is used as a tracker. Moving an infected work device from the office to home, for example, will give hackers your work and home address if the device connects to a Wi-Fi router in both places.

“Demonstrating access to geolocation information can be used to intimidate victims or pressure them to comply with demands,” the researchers state. A threat message from a hacker is indeed much more intimidating if it appears that the hacker has a home or work address. This is a possible slant, but the researchers say they do not have enough information to explain the data collection.

It is furthermore possible hackers are using the data to spread malware in convenient locations. If an infected device turns out to be at work, for example, hackers are more likely to penetrate company systems.

Limit the malware’s access

As a company, you can protect employees by blocking the IP address of Whiffy Recon’s C2 server, as well as the URL used by hackers to remove the malware. Both were disclosed in Secureworks’ research report.

Hackers appear to currently develop the malware, to later infect other botnets. Whiffy Recon allows hackers to track infected devices to send more targeted threat or phishing messages or to seek opportunities to spread malware. It provides an interesting malware that can be quickly rolled out to devices hackers already have access to.

Also read: Persistent malware targets Redis to create botnet