- KONNI Hackers Use KakaoTalk to Distribute Malware and Collect Victims’ Account Credentials
- Attackers leverage Google Find Hub to remotely wipe Android devices and evade detection
- Compromised PCs spread malware to contacts while mobile devices are repeatedly reset to factory settings
North Korean threat actors with ties to the government were seen resetting target Android devices to factory settings to cover their tracks.
Genians researchers said they saw these attacks in the wild, primarily targeting individuals in South Korea, carried out by a group called KONNI (named after a remote access tool it is using).
Investigators say KONNI has “overlapping goals and infrastructure” with both Kimsuky and APT37, known North Korean state-sponsored actors.
Cleaning the device
The attack begins on KakaoTalk Messenger, one of the most popular instant messaging platforms in the country, where KONNI agents pose as trusted entities such as the National Tax Service or the police.
During the conversation, they send a digitally signed MSI file (or a ZIP file with it) which, if executed by the victim, launches a script that eventually downloads different malware modules including RemcosRAT, QuasarRAT and RftRAT.
These RATs collect all types of information from the compromised device, including Google and Naver account credentials which are then used to log into the victim’s Google account.
From there, they access Google Find Hub, a built-in tool that allows users to remotely locate, lock or wipe their devices, and use it to not only view all other registered Android devices, but also track the victim’s location.
When they see the victim away from home and cannot quickly address an attack, they send remote factor reset commands to all devices, wiping data, disabling alerts, and disconnecting the victim from KakaoTalk PC sessions. Cleaning is carried out three times.
With the mobile device wiped but the KakaoTalk PC session still active, hackers use the compromised computer to send malicious files to the victim’s contacts, further spreading infections.
The motive behind the attack is unknown at the time, but state-sponsored threat actors typically engage in cyber espionage and disruption.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
