New Whiffy Recon malware with infected device locating capability emerges

BleepingComputer reports that attacks with the Smoke Loader botnet have been observed to deploy the novel Whiffy Recon malware, which leverages Wi-Fi scanning and Google's geolocation API to determine where compromised devices are located. While Whiffy Recon proceeds with bot registration to attackers' command-and-control server in the absence of the "WLANSVC" service name, Windows systems with the service are being subjected to minute-long scanning loops, with the malware then exploiting Windows WLAN API to enable data collection and the delivery of HTTPS POST requests with Wi-Fi access point data to the geolocation API of Google, according to a Secureworks report. Researchers found that Whiffy Recon uses Google-provided coordinates to create a report detailing access points, which is then sent as a JSON POST request to attackers' C2. More advanced capabilities are expected to be added to Whiffy Recon, which threat actors could potentially use to further pressure victims into submitting to their demands, said researchers.