State-Sponsored Remote Wipe Tactics Targeting Android Devices
Contents
◈ Key Findings
- Emergence of an Android remote data-wipe attack exploiting Google’s asset-tracking feature, Find Hub.
- Identified as a follow-up attack of the KONNI APT campaign, which had operated covertly for nearly a year.
- Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs.
- Malicious files were delivered through the KakaoTalk messenger, leveraging impersonation of acquaintances to conduct trust-based attacks.
- Strengthening real-time behavior-based detection and IOC-linked monitoring through EDR solutions is strongly recommended.
1. Overview
The Genians Security Center (GSC) has identified new attack activity linked to the KONNI APT campaign, which is known to be associated with the Kimsuky or APT37 groups.
During its ongoing investigation into KONNI’s operations, GSC discovered that malicious files disguised as “stress-relief programs” were being widely distributed through South Korea’s KakaoTalk messenger platform.
KONNI has overlapping targets and infrastructure with Kimsuky and APT37, leading some researchers to classify them as the same …
- Emergence of an Android remote data-wipe attack exploiting Google’s asset-tracking feature, Find Hub.
- Identified as a follow-up attack of the KONNI APT campaign, which had operated covertly for nearly a year.
- Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs.
- Malicious files were delivered through the KakaoTalk messenger, leveraging impersonation of acquaintances to conduct trust-based attacks.
- Strengthening real-time behavior-based detection and IOC-linked monitoring through EDR solutions is strongly recommended.
1. Overview
The Genians Security Center (GSC) has identified new attack activity linked to the KONNI APT campaign, which is known to be associated with the Kimsuky or APT37 groups.
During its ongoing investigation into KONNI’s operations, GSC discovered that malicious files disguised as “stress-relief programs” were being widely distributed through South Korea’s KakaoTalk messenger platform.
KONNI has overlapping targets and infrastructure with Kimsuky and APT37, leading some researchers to classify them as the same …
IoC
http://77.246.101.72
http://192.109.119.113
http://116.202.99.218
http://212.118.52.168
http://bp-analytics.de
http://genuinashop.com
http://appoitment.dotoit.media
http://38.180.148.108
http://77.246.108.96
http://91.107.208.93
http://sparkwebsolutions.space
http://94.103.87.212
http://89.110.83.245
http://oldfoxcompany.com
http://xcellentrenovations.com
http://professionaltutors.net
http://62.113.118.157
http://109.234.36.135
http://youkhanhdoit.co
http://93.183.93.185
109.234.36.135
91.107.208.93
192.109.119.113
89.110.83.245
93.183.93.185
1.0.0.0
77.246.101.72
77.246.108.96
116.202.99.218
38.180.148.108
62.113.118.157
94.103.87.212
212.118.52.168
[email protected]
[email protected]
53aea290d7245ee902a808fd87a6a173
f7363c5cfd6fa24a86e542fcd05283e8
5ab26df9c161a6c5f0497fde381d7fca
ef1a8f66351d03413ed2c7d499ee5164
048e1698c4b711d1652df4bf4be04f9e
56c7b448dbc37aa50eb1c2a6475aca5e
99ee7852b8041a540fdb74b3784d0409
8230af6642f5f1927bbbbc7fd6e5427f
b0eba111b570bb1c93ca1f48557d265b
38f8fd9e8d27ae665b3ac0f56492f6c4
09b91626507a62121a4bdb08debb3ed9
8f82226b2f24d470c02f6664f67f23f7
f6800836d55d049fe79e3d47d54e1119
25e38d618f38b3218c3252cf0d22c969
http://192.109.119.113
http://116.202.99.218
http://212.118.52.168
http://bp-analytics.de
http://genuinashop.com
http://appoitment.dotoit.media
http://38.180.148.108
http://77.246.108.96
http://91.107.208.93
http://sparkwebsolutions.space
http://94.103.87.212
http://89.110.83.245
http://oldfoxcompany.com
http://xcellentrenovations.com
http://professionaltutors.net
http://62.113.118.157
http://109.234.36.135
http://youkhanhdoit.co
http://93.183.93.185
109.234.36.135
91.107.208.93
192.109.119.113
89.110.83.245
93.183.93.185
1.0.0.0
77.246.101.72
77.246.108.96
116.202.99.218
38.180.148.108
62.113.118.157
94.103.87.212
212.118.52.168
[email protected]
[email protected]
53aea290d7245ee902a808fd87a6a173
f7363c5cfd6fa24a86e542fcd05283e8
5ab26df9c161a6c5f0497fde381d7fca
ef1a8f66351d03413ed2c7d499ee5164
048e1698c4b711d1652df4bf4be04f9e
56c7b448dbc37aa50eb1c2a6475aca5e
99ee7852b8041a540fdb74b3784d0409
8230af6642f5f1927bbbbc7fd6e5427f
b0eba111b570bb1c93ca1f48557d265b
38f8fd9e8d27ae665b3ac0f56492f6c4
09b91626507a62121a4bdb08debb3ed9
8f82226b2f24d470c02f6664f67f23f7
f6800836d55d049fe79e3d47d54e1119
25e38d618f38b3218c3252cf0d22c969