Malware authors are using the WiFi AP MAC address (also referred to as the BSSID) as how to geo-locate infected hosts.
Malware operators who want to understand the situation of the victims they infect usually believe an easy technique where they grab the victim’s IP address and check it against an IP-to-geo database like MaxMind’s GeoIP to urge a victim’s approximate geographical location.
While the technique is not accurate, it’s still the foremost reliable method of determining a user’s actual physical location supported data found on their computer.
However, during a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a replacement malware strain that’s employing a second technique on top of the first.
This second technique relies on grabbing the infected user’s BSSID.
Known as a “Basic Service Set Identifier,” the BSSID is essentially the MAC physical address of the wireless router or access point the user is using to attach via WiFi.
You can see the BSSID on Windows systems by running the command:
netsh wlan show interfaces | find “BSSID”
Mertens said the malware he discovered was collecting the BSSID then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.
This database may be a collection of known BSSIDs and therefore the last geographical location they have been spotted at.
These sorts of databases are quite common lately and are usually employed by mobile app operators as other ways to trace users once they can’t get access to a phone’s location data directly (i.e., see WiGLE, one among the foremost popular services used for these sorts of BSSID-to-geo conversions).
Checking the BSSID against Mylnikov’s database would allow the malware to effectively determine the physical geographical location of the WiFi access point the victim was using to access the web , which may be a far much accurate way of discovering a victim’s geographical position.
Using both methods together allow malware operators to verify that the initial IP-based geolocation query is correct with the second BSSID method.
Malware operators usually check for a victim location because some groups want to form victims only inside specific countries (such as state-sponsored operations) or they do not want to infect victims in their native country (in order to avoid drawing the eye of local enforcement and avoiding prosecution).
However, IP-to-geo databases are known for his or her wildly inaccurate results, as telcos and data centers tend to accumulate or rent IP address blocks on the free market. This leads to some IP blocks being assigned to different organizations in other regions of the world from their initial/actual owner.
Using a second method to double-check a victim’s geographical location isn’t widely adopted today, but the technique has clear benefits that other malware operations will surely appreciate and choose to use in the future as well.