Full Report
North Korean hackers from the KONNI activity cluster are abusing Google's Find Hub tool to track their targets' GPS positions and trigger remote factory resets of Android devices. [...]
Analysis Summary
# Threat Actor: KONNI Activity Cluster
## Attribution & Identity
* **Attribution:** North Korean hackers.
* **Known Aliases and Associated Groups:** KONNI activity cluster, with overlapping targets and infrastructure with Kimsuky (Emerald Sleet) and APT37 (ScarCruft).
## Activity Summary
The actor is abusing Google's Find Hub tool to track the GPS location of Android targets and subsequently trigger remote factory resets on their devices. This wiping action is used to isolate victims, delete forensic evidence of the initial compromise, delay recovery, and silence security alerts. Following a successful wipe, the attackers hijack the victim's logged-in KakaoTalk PC session to spread the malicious payload to the victim's contacts.
A specific observed campaign involved spear-phishing messages spoofing South Korean government entities (National Tax Service, police) to infect victims with Remote Access Trojans (RATs). In a confirmed case, an attacker compromised a counselor's KakaoTalk account to send a malicious file disguised as a "stress relief program" to a defector student, subsequently using GPS tracking to execute the wipe command when the target was less able to respond.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing campaigns using malicious MSI attachments delivered via email/social engineering (spoofing government agencies).
* **Execution/Persistence:** Initial execution involves a decoy VBS script (`error.vbs`) followed by a BAT script (`install.bat`) that invokes an AutoIT script (`IoKITr.au3`). Persistence is established via a scheduled task.
* **C2 & Remote Access:** The initial script fetches additional modules from a C2 point, providing remote access, keylogging, and capabilities to introduce secondary payloads.
* **Secondary Payloads:** Deployment of RATs including RemcosRAT, QuasarRAT, and RftRAT for data exfiltration.
* **Credential Harvesting:** Harvesting of Google and Naver account credentials to gain access to email and change security settings to wipe logs.
* **Abuse of Legitimate Tools:** Usage of Google Find Hub (Android's "Find my Device") for GPS tracking and triggering remote factory resets. This command was executed multiple times (three times observed in one instance) to maximize disruption.
* **Lateral Movement:** Reusing compromised KakaoTalk PC sessions to propagate malware to the victim's contacts post-wipe.
## Targeting
* **Sectors:** Education, government, and cryptocurrency (as historically linked to KONNI/APT37).
* **Geography:** Primarily targeting South Koreans.
* **Victims:** South Korea–based counselor supporting North Korean defector youth; North Korean defector students.
## Tools & Infrastructure
* **Malware Families Used:** KONNI (Remote Access Tool), RemcosRAT, QuasarRAT, RftRAT, AutoIT script (`IoKITr.au3`).
* **Infrastructure:** Command and Control (C2) points used to fetch secondary modules.
## Implications
This indicates a sophisticated, persistent threat actor group (linked to APT37/Kimsuky) utilizing supply chain compromise techniques coupled with exploitation of legitimate cloud services (Google Find Hub) to achieve destructive objectives. The focus on wiping devices suggests an intent not just for espionage, but also for disruption, accountability silencing, and operational security disruption for the victims, particularly those within sensitive communities (defector support).
## Mitigations
* Enable Multi-Factor Authentication (MFA) on all Google accounts.
* Ensure quick access to recovery accounts linked to Google profiles.
* Exercise extreme caution with files received via messaging apps (like KakaoTalk); verify sender identity via direct verbal confirmation (calling) before downloading or executing attachments.
* Monitor for unusual activity related to Google's "Find My Device" service, especially remote wipe commands originating from unknown locations.