Normally when hackers infect one of the best Windows laptops with malware, financial gain is their motivation. However, they also like to deploy infostealer malware to get their hands on your personal data.
Security researchers at Secureworks’ Counter Threat Unit have come across a mysterious new malware strain that is after something else entirely: your exact location. As reported by The Hacker News, hackers are now using the SmokeLoader malware to deliver a new malware strain called Whiffy Recon.
As its name suggests, SmokeLoader is a Malware-as-a-Service offering sold on dark web forums that’s designed to drop additional payloads (which include other malware) on vulnerable computers. It’s typically distributed through either phishing emails or malicious documents.
Now SmokeLoader is being used to infect PCs with Whiffy Recon, but even the security researchers that discovered this new malware strain aren’t quite sure what the hackers behind this campaign intend to use it for.
Pinpointing your exact location
According to a new blog post detailing Secureworks’ findings, the Whiffy Recon malware “has only one operation” and “every 60 seconds it triangulates the infected systems’ position by scanning nearby Wi-Fi access points.”
To find an infected device’s exact location, Whiffy Recon uses the information obtained from these Wi-Fi access points as a data point for Google’s geolocation API. It does this by constantly checking Windows’ WLAN AutoConfig Service on infected PCS. However, if this service doesn’t exist, WhiffyRecon shuts down on its own. The malware also adds a shortcut to the Windows Startup folder on infected PCs to continue running once a device is shut down and then restarted.
What’s particularly surprising about the Whiffy Recon malware is that it scans nearby Wi-Fi networks to determine an infected device’s location every 60 seconds. This is highly unusual and with this information, a hacker who uses this malware in their attacks “could form a picture of the geolocation of a device” according to Secureworks.
Whiffy Recon also sends data back to a command-and-control (C&C) server operated by the hackers behind this campaign. This includes the precise location coordinates of infected devices which is discovered by using Google’s Geolocation API to triangulate a system’s whereabouts with the data from these Wi-Fi network scans.
How to stay safe from Windows malware
While we’ll have to wait and see as to what the creators of Whiffy Recon intend to do with all of this geolocation data, there are some steps you can take right now to protect yourself from it and other Windows malware.
For starters, you want to be extra careful when dealing with emails from unknown senders. You should avoid clicking on any links these messages contain, and the same goes for downloading and opening any attachments. Spelling and grammatical errors are also big red flags to look out for when determining if an email is legitimate or not.
Although all Windows 11 PCs come with Windows Defender pre-installed to help keep you safe from malware and other threats, you might want to consider some extra protection in the form of one of the best antivirus software. The antivirus engines that power these programs are updated more frequently and you also sometimes get access to additional security tools like a VPN or a password manager.
At the moment, we don’t know that much about Whiffy Recon or the intentions of its creators but with precise location data on infected devices, it could turn out to be spyware used to keep tabs on high-value targets.