A new KONNI-linked campaign abused Google’s Find Hub to remotely wipe Android devices after compromising Google accounts and used KakaoTalk to distribute MSI-based malware disguised as “stress-relief” programs. The campaign targeted South Korea, impersonated counselors and other trusted contacts, and relied on AutoIt-based RAT loaders and multi-stage C2 infrastructure. #KONNI #FindHub
Keypoints
- A KONNI-linked campaign targeted South Korea and abused Google Find Hub to remotely wipe Android devices after compromising Google accounts.
- Attackers distributed MSI-based Stress Clear via KakaoTalk, using AutoIt-based loaders and RemcosRAT with multi-stage C2 infrastructure.
- Impersonation of counselors and other trusted figures enabled trust-based spearphishing and rapid spread through social channels.
- Compromised Google and Naver accounts were leveraged to control Find Hub and trigger remote resets on devices.
- Defenders are urged to strengthen real-time behavior-based detection, verify Find Hub actions, and improve messenger file security and user awareness.
MITRE Techniques
- [T1566.001] Spearphishing – Used spear-phishing that spoofed organizations such as the National Tax Service. Quote: 'spear-phishing that spoofed organizations such as the National Tax Service'
- [T1116] Code Signing – The MSI contains a valid digital signature issued to 'Chengdu Hechenyingjia Mining Partnership Enterprise'… This represents an abuse of code signing. Quote: 'The MSI contains a valid digital signature issued to "Chengdu Hechenyingjia Mining Partnership Enterprise"… This represents an abuse of code signing.'
- [T1059.003] Windows Command Shell – The attack uses Windows command shell to run commands, for example via '%SystemRoot%\system32\cmd.exe /c'. Quote: '%SystemRoot%\system32\cmd.exe /c'
- [T1053.005] Scheduled Task – Creates a scheduled task set to run every minute to continuously execute the malicious AutoIt script. Quote: 'scheduled task set to run every minute to continuously execute the malicious AutoIt script'
- [T1125] Video Capture – Webcams used to covertly monitor surroundings and identify absence. Quote: 'Webcams to covertly monitor the user’s surroundings or identify periods of absence'
- [T1041] Exfiltration – Theft of PII and sensitive data including private webcam content. Quote: 'gained unauthorized access to the victim’s PC and stole a large volume of personally identifiable information (PII), sensitive data, and private content captured through the webcam'
- [T1199] Trusted Relationship – Compromised KakaoTalk accounts used to distribute malware to contacts. Quote: 'distribution of malicious files via KakaoTalk' and 'compromised KakaoTalk account as a secondary distribution channel'
- [T1071.001] Web Protocols – C2 communications hosted on WordPress-based servers and WordPress domains. Quote: 'WordPress-based web servers' and 'C2 servers were hosted on WordPress'
- [T1078] Valid Accounts – Access to Google and Naver accounts via stolen credentials. Quote: 'The threat actor gained unauthorized access to the victim’s Google and Naver accounts' or 'logged into the victim's Gmail account'
- [T1027] Obfuscated/Compressed Files and Information – Malware components encoded or encrypted within AutoIt scripts. Quote: 'conceal various malware components by encoding or encrypting them within AutoIt scripts'
- [T1485] Data Destruction – Remote wipes causing complete data loss. Quote: 'remote reset commands… resulting in the complete deletion of critical data' and 'remotely wiping mobile devices'
- [T1036] Masquerading – Malicious files disguised as 'stress-relief programs'. Quote: 'malicious files disguised as “stress-relief programs”'
Indicators of Compromise
- [IP] context – 116.202.218
- [Domain] context – bp-analytics.de
- [File] Stress Clear.msi, IoKlTr.au3, and other related files (e.g., install.bat, error.vbs, hwpviewer.exe, Start_Web.lnk, Smart_Web.lnk)
https://www.genians.co.kr/en/blog/threat_intelligence/android