Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,335
- Points
- 113
A new spy tool will leak all your location data to attackers.
Cybercriminals behind the Smoke Loader malware actively use a new payload called Whiffy Recon in their attacks to triangulate the location of infected devices using the Google geolocation API and Wi-Fi scanning.
The Google Geolocation API is a service provided by Google that allows software developers to determine the location of devices using data about nearby Wi-Fi access points and cell towers.
Using HTTPS requests to this API, you can get approximate coordinates of the device's latitude and longitude, even if it doesn't use GPS. This is especially useful for developing applications that require user location information, such as maps and geolocation-based services.
In the case of Whiffy Recon, knowing the victim's location can help hackers conduct more targeted attacks with accuracy to the area within the city. Depending on the number of Wi-Fi access points in the area, the accuracy of triangulation via the Google geolocation API ranges from 20 to 50 meters, although this indicator increases in less densely populated areas.
Whiffy Recon gets on the victim's device after being infected with the Smoke Loader dropper, which installs a new spy tool as a payload. Whiffy Recon works as follows: first, the program checks for the presence of a service named "WLANSVC"in the target system. If there is none, the program registers the bot on the command server and completely skips the scanning part.
On Windows systems where such a service is present, Whiffy Recon starts a Wi-Fi scan cycle that runs every minute, abusing the Windows WLAN API to collect the necessary data and sending POST requests to the Google Geolocation API HTTPS containing information about Wi-Fi access points in JSON format.
Using the coordinates from Google's response, the malware generates a more complete report on access points, including their geographical location, encryption method, and SSID, and then sends it to the attackers C2 server as a JSON POST request.
Since this process occurs every 60 seconds, it can allow attackers to track the compromised device in almost real-time.
Researchers at Secureworks, who discovered this new malware in early August, suggest that hackers can use location information to intimidate their victims into thinking that they are being followed, thus forcing victims to follow the attackers instructions.
Experts assume that Whiffy Recon will be actively developed by hackers in the future, and therefore it is possible to quickly release new versions of the malware with advanced functionality.
Cybercriminals behind the Smoke Loader malware actively use a new payload called Whiffy Recon in their attacks to triangulate the location of infected devices using the Google geolocation API and Wi-Fi scanning.
The Google Geolocation API is a service provided by Google that allows software developers to determine the location of devices using data about nearby Wi-Fi access points and cell towers.
Using HTTPS requests to this API, you can get approximate coordinates of the device's latitude and longitude, even if it doesn't use GPS. This is especially useful for developing applications that require user location information, such as maps and geolocation-based services.
In the case of Whiffy Recon, knowing the victim's location can help hackers conduct more targeted attacks with accuracy to the area within the city. Depending on the number of Wi-Fi access points in the area, the accuracy of triangulation via the Google geolocation API ranges from 20 to 50 meters, although this indicator increases in less densely populated areas.
Whiffy Recon gets on the victim's device after being infected with the Smoke Loader dropper, which installs a new spy tool as a payload. Whiffy Recon works as follows: first, the program checks for the presence of a service named "WLANSVC"in the target system. If there is none, the program registers the bot on the command server and completely skips the scanning part.
On Windows systems where such a service is present, Whiffy Recon starts a Wi-Fi scan cycle that runs every minute, abusing the Windows WLAN API to collect the necessary data and sending POST requests to the Google Geolocation API HTTPS containing information about Wi-Fi access points in JSON format.
Using the coordinates from Google's response, the malware generates a more complete report on access points, including their geographical location, encryption method, and SSID, and then sends it to the attackers C2 server as a JSON POST request.
Since this process occurs every 60 seconds, it can allow attackers to track the compromised device in almost real-time.
Researchers at Secureworks, who discovered this new malware in early August, suggest that hackers can use location information to intimidate their victims into thinking that they are being followed, thus forcing victims to follow the attackers instructions.
Experts assume that Whiffy Recon will be actively developed by hackers in the future, and therefore it is possible to quickly release new versions of the malware with advanced functionality.
