New Malware Uses WiFi BSSID to Determine the Victim's Location

A security researcher has identified a new malware sample that uses an interesting technique to determine the potential victim’s location, without using the various GeoIP API services.

Some hackers don’t want to draw attention to their activities in the countries they operate from, and they usually give their attacks features that let them determine the location of a target. It also allows them to target specific countries.

Threat actors use GeoIP API services for this task, but it turns out there are other ways to find out the location that don’t require access to those APIs. Security researcher Xavier Mertens found a malware sample that initially queries for the victim’s public IP address with the help of icanhazip.com.

On the second step, though, the malware uses another service, ‘api.mylnikov.org.’

“This free service provides geolocation data for WiFi MAC addresses or BSSID,” says Mertens. “This is also useful to detect the location of the victim. The malware submits the MAC address of the default gateway (in my VM environment) or the BSSID (the MAC address of the wireless access point).”

The API returns the latitude and longitude in the JSON data, which is more than enough to find the country and city of origin. Bad actors always update their malware with new features and functionalities that let them bypass security measures or add new capabilities.

This is only a sample, but there’s no reason to believe that it’s not already implemented in active pieces of malware.