The operators of the Smoke Loader botnet have introduced a fresh strain of malware named Whiffy Recon, which leverages WiFi scanning and Google’s geolocation API to triangulate the positions of compromised devices. Google’s geolocation API is a service that processes HTTPS requests containing WiFi access point details to provide latitude and longitude coordinates for devices lacking GPS capabilities.
Smoke Loader, a modular malware dropper with a history spanning several years, is primarily used in initial compromise stages to distribute new payloads. The accuracy of triangulation through Google’s geolocation API depends on the density of nearby WiFi access points, ranging from 20 to 50 metres (65 to 165 feet) or less, with precision varying in less populated areas.
Security researchers from Secureworks, who uncovered this innovative malware on August 8th, speculate that malicious actors could employ the geolocation data to threaten victims and coerce them into complying with their demands.
