The malware authors the WiFi AP MAC address (aka BSSID) to geo-locate the systems they have infected.
Malware operators who want to know the location of their victims usually rely on a simple technique to determine the infected system’s location. They simply grab the victim’s IP address and check it against an IP-to-geo database to get a victim’s approximate geographical location.
By checking the public IP address used by the victim, an attacker can thus avoid infecting friendlies or security services that could pose a threat to their activities.
Why does location matter?
For example, a malefactor might avoid infecting addresses from their own country, or they could avoid the IPs that belong to a security vendor. By the same token, an attacker might specifically target computers located in a specific country, or target IPs belonging to a targeted organization.
This IP-to-geo database technique isn’t very accurate. That said, it has been the most reliable method of determining a user’s actual physical location based on data found on their computer. Until now.
Increasing accuracy through layered geo-location methods
Xavier Mertens, a security researcher with the SANS Internet Storm Center, unveiled a discovery in a blog post last month. In the post, Mertens said he had discovered a new malware strain that is using a second technique on top of the IP-to-Geo database lookup.
The new technique is based on identifying the infected system’s BSSID (Basic Service Set Identifier). The BSSID is the MAC-based physical address of the wireless router or access point through which the user is connecting to the Internet via WiFi.
Mertens found a piece of malware that was using a series of services to identify the MAC address of the default gateway for a targeted system. The first services was icanhazip.com, which helps the attacker grab the victim’s public IP address.
The second service was api.mylnikov.org. This free service provides geolocation data for WiFi MAC addresses (or BSSIDs). This is also useful to detect the location of the victim. The malware submits the MAC address of the default gateway or the BSSID (the MAC address of the wireless access point).
Using the two-step geolocation technique will give malware authors a more accurate idea of where their victims are physically located.