Discover more from Cyber Oracle
New Malware Can Send Your Location to an Attacker Every 60 Seconds
Plus, A Fatal WinRAR Vulnerability
The Virus that can use Google’s Geolocation API to Track You
The SmokeLoader malware is being utilized to distribute a new type of Wi-Fi scanning malware called Whiffy Recon on compromised Windows computers. Whiffy Recon's primary function involves triangulating the positions of infected systems by scanning nearby Wi-Fi access points, using Google's geolocation API to determine the system's location. The obtained location data is then sent back to the attacker. SmokeLoader, a loader malware, is responsible for delivering additional payloads onto the victim's device. Since 2014, it has been available for purchase by Russian threat actors and is often propagated through phishing emails.
Whiffy Recon identifies the WLAN AutoConfig service (WLANSVC) on the compromised machine and terminates itself if the service is absent, although it does not validate its functionality. The malware achieves persistence by placing a shortcut in the Windows Startup folder.
Secureworks Counter Threat Unit (CTU) expressed concerns about the motivation behind Whiffy Recon's operations. It questions the purpose of collecting the exact location of infected devices and notes the unusual regularity of the scans at 60-second intervals. This level of data could potentially enable threat actors to map the digital locations of devices to physical spaces.
The malware is designed to communicate with a remote command-and-control (C2) server, using a randomly generated "botID" in an HTTP POST request. The C2 server responds with a unique identifier that is stored in a file on the system. Whiffy Recon's second phase involves regularly scanning for Wi-Fi access points through the Windows WLAN API and sending the scan results to Google's Geolocation API to determine the device's location. The resulting information is then transmitted to the C2 server in JSON format.
The unusual nature of this activity, its lack of immediate monetization potential, and its multiple unknowns raise concerns about the malware's potential nefarious applications.
WinRAR Vulnerability Lets Hackers Control Your PC
A significant security vulnerability, marked as CVE-2023-40477 with a CVSS score of 7.8, has been disclosed in the popular Windows utility WinRAR. This high-severity flaw could be exploited by attackers to achieve remote code execution on Windows systems. The vulnerability is attributed to improper validation during the processing of recovery volumes. The issue arises due to a lack of proper validation of user-supplied data, which can lead to memory access beyond the end of an allocated buffer. This vulnerability enables attackers to execute code within the current process context. Successful exploitation necessitates user interaction, either by visiting a malicious webpage or opening a malicious archive file.
Discovered by a researcher using the pseudonym "goodbyeselene," the flaw was reported on June 8, 2023. It has been addressed in the WinRAR 6.23 version released on August 2, 2023. The latest release not only patches the mentioned vulnerability but also resolves another issue whereby WinRAR might open the wrong file when a user double-clicks an item in a specially crafted archive.
To mitigate potential risks, users are advised to update their WinRAR software to the latest version. This vulnerability underscores the importance of regularly updating software to ensure protection against potential threats and exploits.
Databricks - Senior Staff Software Engineer - Berlin, Germany
Dropbox - Senior Front End Product Software Engineer - Remote
Udemy - Senior Staff Data Scientist - San Francisco, CA
Flock Safety - Software Engineer, ML Tooling - Remote
Pacific Northwest National Laboratory - PhD Intern - Data Sciences & Machine Intelligence Graduate Internship - Richland, WA
Google - 2023 MBA Internship - Tapestry - Product Manager - Mountain View, CA
Pimco - 2024 Summer Intern - Technology Analyst, Software Engineering, US - Newport Beach, CA
Apple - 2024 Apple Internship - Information Systems and Technology - Sydney, New South Wales, Australia
Thanks for reading Cyber Oracle! Subscribe for free to receive new posts and support my work.