When hackers infect one of the best Windows laptops with malware, they are usually motivated by monetary gain. They also prefer to use infostealer software to steal your personal information.
Secureworks’ Counter Threat Unit security researchers have discovered a surprising new malware infection that is targeting something altogether different: your exact location. According to The Hacker News, hackers are now utilizing the SmokeLoader virus to distribute a new malware strain known as Whiffy Recon.
SmokeLoader, as the name implies, is a Malware-as-a-Service offering sold on dark web forums that is designed to dump extra payloads (including other malware) on vulnerable machines. It is often spread by phishing emails or malicious documents.
SmokeLoader is now being used to infect PCs with Whiffy Recon, but even the security researchers who discovered it aren’t clear what the hackers behind this operation plan to do with it.
Pinpointing your exact location: According to a new blog post outlining Secureworks’ findings, the Whiffy Recon virus “has only one operation” and “every 60 seconds it triangulates the infected systems’ position by scanning nearby Wi-Fi access points.”
Whiffy Recon uses the information gathered from these Wi-Fi access points as a data point for Google’s geolocation API to determine the exact position of an infected device. It accomplishes this by continuously monitoring Windows’ WLAN AutoConfig Service on infected PCs. WhiffyRecon, on the other hand, shuts down on its own if this service does not exist. On infected PCs, the malware also installs a shortcut to the Windows Startup folder, allowing it to continue running when a device is shut down and restarted.
The Whiffy Recon malware is unique in that it checks adjacent Wi-Fi networks every 60 seconds to determine the location of an infected device. This is quite unique, and with this information, a hacker using this software in their attacks “could form a picture of a device’s geolocation,” according to Secureworks.
Whiffy Recon also sends data to a command-and-control (C&C) server run by the campaign’s hackers. This includes the precise location coordinates of infected devices, which are obtained by combining the data from these Wi-Fi network scans with Google’s Geolocation API.
How to Protect Yourself from Windows Malware: While we have to wait and see what the Whiffy Recon authors want to do with all of this geolocation data, there are several precautions you can take right now to protect yourself from it and other Windows viruses.
To begin, you should use extreme caution when interacting with emails from unknown senders. You should avoid clicking on any links in these messages, as well as downloading and opening any attachments. Spelling and grammatical problems are also major red flags to check for when deciding whether or not an email is real.
Although Windows Defender comes pre-installed on all Windows 11 PCs to help keep you secure from malware and other dangers, you may want to consider adding additional protection in the form of one of the top antivirus software. These programs’ antivirus engines are updated more frequently, and you may also have access to extra security features such as a VPN or a password manager.
We don’t know much about Whiffy Recon or its authors’ goals at the time, but with exact location data on infected devices, it might be spyware used to maintain tabs on high-value targets.