Smoke Loader Malware Locates Infected System Using Wi-Fi Access Points

by Esmeralda McKenzie
Smoke Loader Malware Locates Infected System Using Wi-Fi Access Points

Smoke Loader Malware Locates Infected System Using Wi-Fi Access Points

Smoke Loader Malware Locates Contaminated Machine Wi-Fi gather entry to aspects and Google’s geolocation API

Recent stories narrate that Smoke loader botnets are inclined by malicious actors to infiltrate compromised systems and deploy Wi-Fi scanning executables.

This Wi-Fi scanning tool appears custom-written and is inclined for gathering info about a design’s geolocation by Google Geolocation API.

EHA

This malware has been termed Whiffy recon and uses nearby Wi-Fi gather entry to aspects to safe the particular coordinates of an affected design. It is aloof unclear why this info is gathered and its usage.

Smoke Loader Botnets Infect Systems

Windows systems spend a carrier called WLANSVC that could per chance per chance price the presence of a wi-fi functionality. This carrier is at the delivery checked by this “Whiffy recon.” It does no longer review whether or no longer the carrier is operational, as an different, it supreme tests if the carrier name exists.

If the carrier exists on the contaminated design, it proceeds to kind a wlan.lnk shortcut on the Startup folder that aspects to the well-liked spot of the malware.

Nonetheless, If the carrier doesn’t exist, the malware exits from execution.

There are two loops on this malware, one amongst which is inclined for bot registration with the C2 server, whereas the assorted is inclined for Wi-Fi scanning.

The Loops

The most predominant loop tests if the file %APPDATA%wlanstr-12.bin exists both in this listing or the %APPDATA%Roaming*.* info which is aloof unclear on why this is being carried out.

If the file is price and contains some real parameters, this loop is closed, the following loop begins, and the Wi-Fi scanning is carried out.

If the file str-12.bin doesn’t exist, the malware proceeds to register the bot with the C2 server by sending a JSON payload in an HTTPS POST seek info from.

This HTTP seek info from also contains headers, including the Authorisation arena populated with a laborious-coded UUID (Universally Unfamiliar Identifier). This UUID is the randomly generated botID despatched to the C2 server for registration.

sKAWGMsVpbYXr
HTTP POST seek info from for botID registration (Source: Secureworks)

If the registration succeeds, the server responds with a “secret” UUID, which is replaced in spot of the botID in future HTTP requests. Each the botID UUID and the important thing UUID are stored in the str-12.bin file that’s dropped in the %APPDATA%Roamingwlan folder.

IOq283qc9Bk2lLmoUpDtIKE2sWa17nPQjGJkHbirH7oYpej wGeWy5YYFvwEYIheswrLL4cWIQ6sW4YBvYvisFM1rZ7rMru5jwFVW9KTHSLhR2FOqtYD09gZs9HLEh6JQjU4UXr4QKv36HpbMKs2vCg
Server response after winning registration (Source: Secureworks)

Furthermore, after these steps, the malware scans for Wi-Fi gather entry to aspects with the lend a hand of the Windows WLAN API. These scan outcomes are put staunch into a JSON development which is distributed to the Google Geolocation API by an HTTPS POST seek info from.

Google Geolocation API

As per the document shared with Cyber Security Files, Google Geolocation API responds with the coordinates of the design’s spot utilizing the aloof Wi-Fi gather entry to aspects and cell network info info.

These spot coordinate info are then embedded into one other JSON development containing the encryption systems inclined by assorted gather entry to aspects.

This info is distributed to the C2 server by an HTTP POST seek info from. To separate the knowledge in step with the compromised design, these POST requests can even dangle Authorization UUID and the URL “/bots//scanned.”

8zk MgK2gkVRnP5waEsmOx2NYyw20E 64AvXB P1m6IMKrIOCMuY8LUqJdupEgO7wWeVnQQ cyeJe3eaTGLq3ezkCo9bHmtZcgWZ4fOnUqm Tz3zPZyIS zQmyiJ1J9JqLkHgZWRI8NN4lhaDZKs7wU
Authorization UUID and the URL for the C2 server (Source: Secureworks)

Security personnel are instructed to safe for this smoke loader malware and the Whiffy Recon malware to rob crucial precautions.

Indicators of Compromise

Indicator Kind Context
009230972491f5f5079e8e86e19d5458 MD5 hash Whiffy Recon pattern dropped by Smoke Loader
8532e67e1fd8441dc8ef41f5e75ee35b0d12a087 SHA1 hash Whiffy Recon pattern dropped by Smoke Loader
935b44784c055a897038b2cb6f492747c0a1487f0ee3d3a39319962317cd4087 SHA256 hash Whiffy Recon pattern dropped by Smoke Loader
194.87.32[.]20 IP contend with Whiffy Recon C2 server
http://195.123.212[.]53/wlan.exe URL Hosts Whiffy Recon pattern dropped by Smoke Loader

Source credit : cybersecuritynews.com

Related Posts