Recent reports reveal that Smoke loader botnets are used by malicious actors to infiltrate compromised systems and deploy Wi-Fi scanning executables.
This Wi-Fi scanning tool seems custom-written and is used for gathering information about a system’s geolocation through Google Geolocation API.
This malware has been termed Whiffy recon and uses nearby Wi-Fi access points to find the exact coordinates of an affected system. It is still unclear why this information is gathered and its usage.
Smoke Loader Botnets Infect Systems
Windows systems use a service called WLANSVC that can indicate the presence of a wireless capability. This service is initially checked by this “Whiffy recon.” It does not check whether the service is operational, instead, it only checks if the service name exists.
If the service exists on the infected system, it proceeds to create a wlan.lnk shortcut on the Startup folder that points to the original location of the malware.
However, If the service doesn’t exist, the malware exits from execution.
The first loop checks if the file %APPDATA%\wlan\str-12.bin exists either in this directory or the %APPDATA%\Roaming\*.* guide which is still unclear on why this is being done.
If the file is present and contains some valid parameters, this loop is closed, the next loop begins, and the Wi-Fi scanning is performed.
If the file str-12.bin doesn’t exist, the malware proceeds to register the bot with the C2 server by sending a JSON payload in an HTTPS POST request.
This HTTP request also contains headers, including the Authorisation field populated with a hard-coded UUID (Universally Unique Identifier). This UUID is the randomly generated botID sent to the C2 server for registration.
If the registration succeeds, the server responds with a “secret” UUID, which is replaced in place of the botID in future HTTP requests. Both the botID UUID and the secret UUID are stored in the str-12.bin file that is dropped in the %APPDATA%\Roaming\wlan\ folder.
Furthermore, after these steps, the malware scans for Wi-Fi access points with the help of the Windows WLAN API. These scan results are put into a JSON structure which is sent to the Google Geolocation API through an HTTPS POST request.
Google Geolocation API
As per the report shared with Cyber Security News, Google Geolocation API responds with the coordinates of the system’s location using the collected Wi-Fi access points and mobile network data information.
These location coordinate data are then embedded into another JSON structure containing the encryption methods used by different access points.
This information is sent to the C2 server through an HTTP POST request. To separate the data based on the compromised system, these POST requests will also contain Authorization UUID and the URL “/bots/<UUID>/scanned.”
Security personnel are recommended to watch for this smoke loader malware and the Whiffy Recon malware to take necessary precautions.
Indicators of Compromise
|009230972491f5f5079e8e86e19d5458||MD5 hash||Whiffy Recon sample dropped by Smoke Loader|
|8532e67e1fd8441dc8ef41f5e75ee35b0d12a087||SHA1 hash||Whiffy Recon sample dropped by Smoke Loader|
|935b44784c055a897038b2cb6f492747c0a1487f0ee3d3a39319962317cd4087||SHA256 hash||Whiffy Recon sample dropped by Smoke Loader|
|194.87.32[.]20||IP address||Whiffy Recon C2 server|
|http://195.123.212[.]53/wlan.exe||URL||Hosts Whiffy Recon sample dropped by Smoke Loader|