- KONNI hackers use KakaoTalk to ship malware and harvest account credentials from victims
- Attackers exploit Google Discover Hub to remotely wipe Android units and evade detection
- Compromised PCs unfold malware to contacts whereas cell units are repeatedly manufacturing facility reset
North Korean menace actors with ties to the federal government have been seen resetting goal Android units to manufacturing facility settings to cowl their tracks.
Researchers from Genians stated they noticed these assaults within the wild, focusing on primarily people in South Korea, carried out by a bunch referred to as KONNI (named after a distant entry device it’s utilizing)
The researchers say KONNI has “overlapping targets and infrastructure” with each Kimsuky, and APT37, recognized North Korean state-sponsored actors.
Wiping the machine
The assault begins on KakaoTalk messenger, one of the common prompt chat messaging platforms within the nation, the place KONNI’s brokers impersonate trusted entities just like the Nationwide Tax Service, or the police.
Throughout the dialog, they ship a digitally signed MSI file (or a ZIP archive with it) which, if the sufferer runs it, launches a script that finally downloads completely different malware modules, together with RemcosRAT, QuasarRAT, and RftRAT.
These RATs harvest all types of data from the compromised machine, together with Google and Naver account credentials that are then used to log into the sufferer’s Google account.
From there, they entry Google Discover Hub, a built-in device that lets customers remotely find, lock, or wipe their units, and use it not solely to view all different registered Android units, but additionally to trace the sufferer’s location.
After they see the sufferer out and about, and unable to shortly tackle an assault, they ship distant issue reset instructions to all units, erasing information, disabling alerts, and disconnecting the sufferer from the KakaoTalk PC periods. The wipe is completed thrice.
With the cell machine wiped however the KakaoTalk PC session nonetheless energetic, the hackers use the compromised laptop to ship malicious information to the sufferer’s contacts, spreading the infections additional.
The motive behind the assault is unknown on the time, however state-sponsored menace actors are normally engaged in cyber-espionage and disruption.
By way of BleepingComputer
The very best antivirus for all budgets
Observe TechRadar on Google Information and add us as a most well-liked supply to get our professional information, evaluations, and opinion in your feeds. Be certain that to click on the Observe button!
And naturally you can too observe TechRadar on TikTok for information, evaluations, unboxings in video kind, and get common updates from us on WhatsApp too.
