North Korean hackers have recently leveraged Google’s Find Hub tool to track GPS locations of targets and execute remote factory resets on Android devices. This sophisticated attack primarily affects South Korean users.
The infiltration method involves initiating contact through KakaoTalk, South Korea’s leading instant messaging platform. Cybersecurity firm Genians has attributed this nefarious activity to the KONNI cluster of threats, identified as sharing infrastructure and targets with known groups such as Kimsuky and APT37.
KONNI is classified as a remote access tool used in orchestrated attacks by North Korean entities, including APT37 (also known as ScarCruft) and Kimsuky (Emerald Sleet). These groups have historically impacted various sectors, including education, government, and cryptocurrency.
According to Genians, the KONNI campaign employs remote access trojans (RATs) designed to exfiltrate sensitive data from compromised systems. The resetting of Android devices serves to isolate victims, erase any traces of the attack, delay recovery efforts, and silence security alerts. It specifically disconnects victims from active KakaoTalk sessions, allowing attackers to hijack these accounts post-wipe to propagate their malicious files to victims’ contacts.
Infection Chain
The KONNI campaign utilizes spear-phishing techniques that impersonate South Korean government agencies, such as the National Tax Service and local police. Victims are targeted through fraudulently crafted messages containing malicious attachments. Executing the digitally signed MSI attachment—or a contained .ZIP file—triggers a sequence of scripts designed to mislead the user, including an “install.bat” and a deceptive “error.vbs” script that fabricates a language pack error.
The BAT file activates an AutoIT script (IoKITr.au3) that establishes persistence through a scheduled task. This script fetches additional modules from a command and control (C2) server, granting threat actors extensive remote access, keylogging capabilities, and pathways for introducing further malicious payloads.
Genians has reported that these secondary payloads include tools such as RemcosRAT, QuasarRAT, and RftRAT, which are adept at harvesting credentials for Google and Naver accounts. Accessing these accounts allows attackers to compromise the victims’ Gmail and Naver Mail, manipulate security settings, and eliminate logs that indicate compromise.
Utilizing Find Hub for Device Reset
Once a Google account is compromised, attackers employ Google Find Hub to track registered Android devices and obtain their GPS locations. Find Hub is Android’s native tool designed to help users locate, lock, or erase lost or stolen devices.
Genians’ forensic investigations revealed that an attacker executed a remote reset command on a compromised device utilizing Find Hub. For instance, on September 5, a cybercriminal accessed the KakaoTalk account of a South Korean counselor specializing in support for North Korean defectors, disseminating malicious files disguised as a “stress relief program” to students.
The hackers strategically monitored GPS data to choose moments when their victims were less likely to respond quickly. During the attack, commands resulting in remote wipes were issued across all registered Android devices, leading to irreversible data loss. The attacker executed these wipe commands three times to ensure prolonged device inoperability.
With mobile alerts effectively neutralized, the attacker exploited the victim’s active KakaoTalk session on their already compromised computer to spread further malicious files to the victim’s contacts.
On September 15, evidence of a similar attack was observed targeting another individual, utilizing the same methodology.
To mitigate the risk of such attacks, it is crucial for users to secure their Google accounts with multi-factor authentication (MFA) and ensure prompt access to recovery accounts. Additionally, verifying the sender’s identity via a phone call before downloading or opening attachments from messaging apps can prevent compromise.
Genians’ report offers a comprehensive technical analysis of the malware involved, alongside indications of compromise (IoCs) relevant to the attacks under investigation.
Update 11/11 – A Google spokesperson commented on the situation, emphasizing that this attack did not exploit any vulnerabilities within Android or Find Hub. “This targeted attack required pre-existing PC malware to capture Google account credentials and misuse legitimate functions within Find Hub (formerly Find My Device). We highly recommend all users enable 2-Step Verification or adhere to passkey usage for robust protection against credential theft. For individuals at heightened risk of targeted attacks, enrolling in Google’s Advanced Protection Program offers enhanced account security,” stated the spokesperson.
As organizations adopt the Model Context Protocol (MCP) for enhanced connections between Large Language Models (LLMs) and essential data, cybersecurity teams are tasked with swiftly ensuring the security of these emerging services.