Smoke Loader Malware Locates Infected System Wi-Fi access points and Google’s geolocation API

Recent reports reveal that Smoke loader botnets are used by malicious actors to infiltrate compromised systems and deploy Wi-Fi scanning executables.

This Wi-Fi scanning tool seems custom-written and is used for gathering information about a system’s geolocation through Google Geolocation API.

This malware has been termed Whiffy recon and uses nearby Wi-Fi access points to find the exact coordinates of an affected system. It is still unclear why this information is gathered and its usage.

Smoke Loader Botnets Infect Systems

Windows systems use a service called WLANSVC that can indicate the presence of a wireless capability. This service is initially checked by this “Whiffy recon.” It does not check whether the service is operational, instead, it only checks if the service name exists. 

If the service exists on the infected system, it proceeds to create a wlan.lnk shortcut on the Startup folder that points to the original location of the malware.

However, If the service doesn’t exist, the malware exits from execution. 

There are two loops on this malware, one of which is used for bot registration with the C2 server, while the other is used for Wi-Fi scanning

The Loops

The first loop checks if the file %APPDATA%\wlan\str-12.bin exists either in this directory or the %APPDATA%\Roaming\*.* guide which is still unclear on why this is being done.

If the file is present and contains some valid parameters, this loop is closed, the next loop begins, and the Wi-Fi scanning is performed.

If the file str-12.bin doesn’t exist, the malware proceeds to register the bot with the C2 server by sending a JSON payload in an HTTPS POST request.

This HTTP request also contains headers, including the Authorisation field populated with a hard-coded UUID (Universally Unique Identifier). This UUID is the randomly generated botID sent to the C2 server for registration.

HTTP POST request for botID registration (Source: Secureworks)

If the registration succeeds, the server responds with a “secret” UUID, which is replaced in place of the botID in future HTTP requests. Both the botID UUID and the secret UUID are stored in the str-12.bin file that is dropped in the %APPDATA%\Roaming\wlan\ folder.

Server response after successful registration (Source: Secureworks)

Furthermore, after these steps, the malware scans for Wi-Fi access points with the help of the Windows WLAN API. These scan results are put into a JSON structure which is sent to the Google Geolocation API through an HTTPS POST request.

Google Geolocation API

As per the report shared with Cyber Security News, Google Geolocation API responds with the coordinates of the system’s location using the collected Wi-Fi access points and mobile network data information.

These location coordinate data are then embedded into another JSON structure containing the encryption methods used by different access points.

This information is sent to the C2 server through an HTTP POST request. To separate the data based on the compromised system, these POST requests will also contain Authorization UUID and the URL “/bots/<UUID>/scanned.”

Authorization UUID and the URL for the C2 server (Source: Secureworks)

Security personnel are recommended to watch for this smoke loader malware and the Whiffy Recon malware to take necessary precautions.

Indicators of Compromise

009230972491f5f5079e8e86e19d5458MD5 hashWhiffy Recon sample dropped by Smoke Loader
8532e67e1fd8441dc8ef41f5e75ee35b0d12a087SHA1 hashWhiffy Recon sample dropped by Smoke Loader
935b44784c055a897038b2cb6f492747c0a1487f0ee3d3a39319962317cd4087SHA256 hashWhiffy Recon sample dropped by Smoke Loader
194.87.32[.]20IP addressWhiffy Recon C2 server
http://195.123.212[.]53/wlan.exeURLHosts Whiffy Recon sample dropped by Smoke Loader

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.