- KONNI hackers use KakaoTalk to deliver malware and harvest account information from victims
- Attackers exploit Google Find Hub to remotely wipe Android devices and avoid registration
- Compromised PCs spread malware to contacts, while mobile devices are repeatedly reset to factory settings
North Korean threat actors with ties to the government were seen resetting target Android devices to factory settings to cover their tracks.
Genians researchers said they saw these attacks in the wild, primarily targeting individuals in South Korea, carried out by a group called KONNI (named after a remote access tool it uses)
The researchers say KONNI has “overlapping goals and infrastructure” with both Kimsuky and APT37, known North Korean state-sponsored actors.
Wiping the device
The attack starts on KakaoTalk messenger, one of the most popular chat platforms in the country, where KONNI’s agents impersonate trusted entities such as the National Tax Service or the police.
During the conversation, they send a digitally signed MSI file (or a ZIP archive with it), which, if the victim runs it, starts a script that ultimately downloads various malware modules, including RemcosRAT, QuasarRAT, and RftRAT.
These RATs harvest all kinds of information from the compromised device, including Google and Naver account credentials, which are then used to log into the victim’s Google account.
From there, they access Google Find Hub, a built-in tool that lets users locate, lock or wipe their devices remotely and use it not only to see all other registered Android devices, but also to track the victim’s location.
When they see the victim out and about and can’t quickly resolve an attack, they send remote factor reset commands to all devices, delete data, disable alerts, and disconnect the victim from the KakaoTalk PC sessions. The wiping is carried out three times.
With the mobile device wiped but the KakaoTalk PC session still active, the hackers use the compromised computer to send malicious files to the victim’s contacts and further spread the infections.
The motive behind the attack is unknown at the time, but state-sponsored threat actors are usually engaged in cyber espionage and disruption.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
