- KONNI Hackers Use KakaoTalk to Spread Malware and Harvest Victims’ Account Credentials
- Attackers exploit Google Find Hub to remotely wipe Android devices and evade detection
- Compromised PCs spread malware to contacts while mobile devices are repeatedly reset.
North Korean threat actors with government ties have been seen resetting target Android devices to factory settings to cover their tracks.
Genians researchers said they have seen these attacks in the wild, primarily targeting individuals in South Korea, carried out by a group called KONNI (named after a remote access tool it uses).
Researchers say KONNI has “overlapping targets and infrastructure” with those of Kimsuky and APT37, known North Korean state-sponsored actors.
Wipe the device
The attack begins on KakaoTalk Messenger, one of the most popular instant messaging platforms in the country, where KONNI agents pose as trusted entities like the National Tax Service or the police.
During the conversation, they send a digitally signed MSI file (or a ZIP archive with it) which, if the victim executes it, launches a script that ultimately downloads different malicious modules, including RemcosRAT, QuasarRAT and RftRAT.
These RATs harvest all sorts of information about the compromised device, including Google and Naver account credentials which are then used to log into the victim’s Google account.
From there, they access Google Find Hub, a built-in tool that allows users to remotely locate, lock or wipe their devices, and use it to not only view all other registered Android devices, but also track the victim’s location.
When they see the victim outside and are unable to quickly respond to an attack, they send remote factor reset commands to all devices, wiping data, disabling alerts, and disconnecting the victim from PC KakaoTalk sessions. Wiping is carried out three times.
With the mobile device wiped but the KakaoTalk PC session still active, hackers use the compromised computer to send malicious files to the victim’s contacts, further spreading infections.
The motive for the attack is unknown at the time, but state-sponsored threat actors typically engage in cyber espionage and disruption.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
