Secureworks CTU researchers observed the Smoke Loader botnet drop a Wi-Fi scanning tool named Whiffy Recon on infected systems. Whiffy Recon uses nearby Wi‑Fi access points and the Google Geolocation API to determine coordinates and reports data back to a C2 server.
#WhiffyRecon #SmokeLoader
#WhiffyRecon #SmokeLoader
Keypoints
- Secureworks CTU observed Smoke Loader dropping a custom Wi‑Fi scanning malware named Whiffy Recon onto infected systems.
- Whiffy Recon checks for the WLANSVC service to determine wireless capability and exits if the service name does not exist.
- Persistence is achieved by creating wlan.lnk in the user’s Startup folder pointing to the malware binary.
- The malware operates in two loops: one to register with a C2 server and a second to perform Wi‑Fi scanning.
- During registration, the HTTP POST uses a hard-coded UUID in the Authorization header; the C2 responds with a secret UUID for future requests.
- Wi‑Fi scan results are sent to the Google Geolocation API via HTTPS, then posted to the C2 at /bots//scanned, enabling potential victim tracking.
MITRE Techniques
- [T1071.001] Web Protocols – The malware communicates with its C2 over HTTPS in POST requests, including an Authorization header with a hard-coded UUID. ‘The HTTP headers include an Authorization field containing a hard-coded UUID.’
- [T1547.001] Boot or Logon Autostart Execution – It persists by creating wlan.lnk in the Startup folder to restart on login. ‘the wlan.lnk shortcut in the user’s Startup folder’
- [T1016] System Network Configuration Discovery – It scans for Wi‑Fi access points using the Windows WLAN API. ‘scans for Wi-Fi access points via the Windows WLAN API.’
- [T1005] Data from Local System – It checks for the presence of a file named %APPDATA%wlanstr-12.bin to load parameters. ‘The first loop checks for the presence of a file named %APPDATA%wlanstr-12.bin.’
- [T1041] Exfiltration Over C2 Channel – The collected Wi‑Fi data is posted to the C2 server using the secret Authorization UUID and the URI /bots//scanned. ‘This data is sent as a POST request to the C2 server using the secret Authorization UUID and the URI /bots//scanned.’
Indicators of Compromise
- [MD5 hash] Whiffy Recon sample dropped by Smoke Loader – 009230972491f5f5079e8e86e19d5458
- [SHA1 hash] Whiffy Recon sample dropped by Smoke Loader – 8532e67e1fd8441dc8ef41f5e75ee35b0d12a087
- [SHA256 hash] Whiffy Recon sample dropped by Smoke Loader – 935b44784c055a897038b2cb6f492747c0a1487f0ee3d3a39319962317cd4087
- [IP address] Whiffy Recon C2 server – 194.87.32.20
- [URL] Hosts Whiffy Recon sample dropped by Smoke Loader – http://195.123.212.53/wlan.exe