Malware uses WiFi BSSID for victim identification

guest · Jan 4, 2021

Malware uses WiFi BSSID for victim identification
Malware authors are using the WiFi AP MAC address (also known as the BSSID) as a way to geo-locate infected hosts
January 4, 2021
https://www.zdnet.com/article/malware-uses-wifi-bssid-for-victim-identification/

Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim's IP address and check it against an IP-to-geo database like MaxMind's GeoIP to get a victim's approximate geographical location.

While the technique isn't very accurate, it is still the most reliable method of determining a user's actual physical location based on data found on their computer.
However, in a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using a second technique on top of the first.

This second technique relies on grabbing the infected user's BSSID.
Click to expand...

Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.

Checking the BSSID against Mylnikov's database would allow the malware to effectively determine the physical geographical location of the WiFi access point the victim was using to access the internet, which is a far much accurate way of discovering a victim's geographical position.
Click to expand...

Malware operators usually check for a victim location because some groups want to make victims only inside specific countries (such as state-sponsored operations) or they don't want to infect victims in their native country (in order to avoid drawing the attention of local law enforcement and avoiding prosecution).
Click to expand...

Malware Victim Selection Through WiFi Identification

Last week, I found a malware sample that does nothing fancy, it's a data stealer but it has an interesting feature. It's always interesting to have a look at the network flows generated by malware samples.

By checking the public IP address used by the victim, an attacker might prevent "friends" to be infected (ex: IP addresses from the attacker's country) or if the IP address belongs to a security vendor. On the other side, the attacker might decide to infect the computer because it is located in a specific country or belongs to the targeted organization.
Click to expand...

Log in or Sign up

Malware uses WiFi BSSID for victim identification

guest Guest

Members

Useful Searches