New Malware Component Can Use Wi-Fi Triangulation to Determine PC's Location
A strain of malware that’s been around for over a decade has a new trick: the ability to triangulate an infected PC’s approximate location.
The malware known as Smoke Loader has been sold on cybercriminal forums and to Russian hackers for years. It’s typically used to load additional malicious programs, which can allow the attacker to hijack a Windows PC. Earlier this month, security researchers at Secureworks spotted the malware dropping a new and creepy payload dubbed “Whiffy Recon.”
“Every 60 seconds it triangulates the infected systems' positions by scanning nearby Wi-Fi access points as a data point for Google's geolocation API,” Secureworks says. “The location returned by Google’s geolocation API is then sent back to the adversary.”
The Wi-Fi triangulation function is also a rarity in the hacking world, according to Secureworks. Whiffy Recon can triangulate a PC’s location, thanks to the Google Maps' Geolocation API, which is designed to return latitude and longitude coordinates for devices that lack a native GPS. To return the coordinates, Google’s API relies on public data on cell towers and Wi-Fi access points.
The exact purpose of Whiffy Recon remains unclear. But Secure Works suspects learning the infected PC’s approximate location could be used for intimidation tactics, like pressuring a victim into complying with their demands.
“This kind of activity/capability is very rarely used by criminal actors,” Don Smith, Secureworks VP for Threat Intelligence, said in an email. “As a standalone capability it lacks the ability to quickly monetize. The unknowns here are worrying and the reality is that it could be used to support any number of nefarious motivations.”
Secureworks adds that it’s detected Smoke
Read more on pcmag.com
