Ankura CTIX FLASH Update – August 25, 2023 – Fin Tech

Malware Activity

Whiffy Recon Malware Dropped by Smoke Loader
Botnet

A new piece of malware dubbed Whiffy Recon is a Wi-Fi scanning
payload being leveraged by threat actors to triangulate the
geolocation of compromised devices. Whiffy Recon is being
distributed by the threat actors behind the infamous Smoke Loader
botnet. The Smoke Loader botnet family is a modular backdoor with a
wide range of capabilities, mainly used by threat actors to drop
payloads at scale in the early stages of a compromise. The threat
actors are using Whiffy Recon to triangulate the positions of
infected devices by scanning for nearby Wi-Fi access points, and
then using Google’s geolocation service API to send the
longitude and latitude of the infected devices back to the
attackers. By utilizing the nearby Wi-fi access points, Whiffy
Recon can triangulate the device location even if the device does
not have a GPS system, giving attackers an edge when conducting
region-based attacks. The malware maintains persistence on the
compromised device by creating a “wlan.Ink” shortcut that
points to the Whiffy Recon malware’s location on the system.
Although the motive is currently unclear, Whiffy Recon could
potentially be utilized by threat actors to conduct mass
intimidation campaigns, pressuring victims into meeting the
cybercriminals’ demands. Researchers have stated that based on
the initial POST request to the C2 server, it is likely that the
developers of this malware will be upgrading it over time. CTIX
continues to report on new and interesting attack techniques and
may release an…