North Korean hackers are abusing Google’s Find Hub tool to track the GPS location of their targets and remotely reset Android devices to factory settings.
The attacks are primarily targeting South Koreans, and start by approaching the potential victims over KakaoTalk messenger - the most popular instant messaging app in the country.
South Korean cybersecurity solutions company Genians links the malicious activity to a KONNI activity cluster, which "has overlapping targets and infrastructure with Kimsuky and APT37."
KONNI typically refers to a remote access tool that has been linked to attacks from North Korean hackers in the APT37 (ScarCruft) and Kimsuky (Emerald Sleet) groups that targeted multiple sectors (e.g., education, government, and cryptocurrency).
According to Genians, the KONNI campaign infects computers with remote access trojans that enable sensitive data exfiltration.
Wiping Android devices is done to isolate victims, delete attack traces, delay recovery, and silence security alerts. Specifically, the reset disconnects victims from KakaoTalk PC sessions, which the attackers hijack post-wiping to spread to their targets’ contacts.
Infection chain
The KONNI campaign analyzed by Genians targets victims via spear-phishing messages that spoof South Korea’s National Tax Service, the police, and other agencies.
Once the victim executes the digitally signed MSI attachment (or a .ZIP containing it), the file invokes an embedded install.bat and an error.vbs script used as a decoy to mislead the user with a fake “language pack error.”
The BAT triggers an AutoIT script (IoKITr.au3) that sets persistence on the device via a scheduled task. The script fetches additional modules from a command and control (C2) point, and provides the threat actors with remote access, keylogging, and additional payload introduction capabilities.
... continue reading