KONNI-linked APT abuses Google Find Hub to wipe Android devi...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.genians.co.kr/en/blog/threat_intelligence/android
• Blog Title: KONNI-linked APT abuses Google Find Hub to wipe Android devices after Windows intrusion
• Suggested Section: Basic Forensic Methodology -> Malware Analysis (AutoIt loaders, a3x decryption/injection, and Scheduled Tasks persistence masquerade)

🎯 Content Summary

What the post proves: A KONNI-linked APT ran a Windows-first intrusion that stole Google credentials and abused Google’s Android Find Hub to geolocate victims and repeatedly issue factory resets on registered Android phones/tablets. Wipes were timed to moments when the victim was away, suppressing mobile notifications and enabling rapid secondary distribution of malware via the victim’s already-logged-in KakaoTalk PC session.

Initial access and lures (2025-09-05, 2025...

🔧 Technical Details

Account‑takeover abuse of Android Find Hub. After stealing Google credentials (and clearing alert emails from the linked Naver inbox), browse Google Account → Security → Your devices → Find My Phone → Find Hub, select the device, re‑enter the Google password, and trigger “Erase device.” Repeating wipes keeps phones/tablets offline, suppresses notifications, and hides concurrent operations.

MSI → AutoIt persistence via Task Scheduler masquerade. Deliver a signed MSI that runs install.bat to drop AutoIt3.exe and IoKlTr.au3 into C:\Users\Public\Music, copy schtasks.exe to hwpviewer.exe, and create a 1‑minute task “IoKlTr.” Show a decoy error.vbs language‑pack dialog to mislead users while artifacts self‑delete.

AutoIt HMAC→AES decryption + process injection. Store RATs inside .au3 files compiled as .a3x; derive AES keys via HMAC, decrypt ...

🤖 Agent Actions

I analyzed the blog and HackTricks repository and updated the most relevant page with new, concise, technical content.

What I added

• Section: “AutoIt-based loaders: .a3x decryption, Task Scheduler masquerade and RAT injection” to Basic Forensic Methodology → Malware Analysis
  • MSI → custom actions chain and exact commands
  • install.bat and error.vbs full contents
  • Scheduled Task persistence masquerading via copied schtasks.exe as hwpviewer.exe, task “IoKlTr” every minute
  • Forensic artifacts: C:\Users\Public\Music\AutoIt3.exe, IoKlTr.au3, Smart_Web.lnk, %APPDATA%\Google\Browser(adb|adv)*
  • AutoIt .a3x loader behavior: HMAC→AES decryption pipeline and generic code skeleton; process injection flow; families and target processes (QuasarRAT → hncfinder.exe, RftRAT → cleanmgr.exe; Remcos)
  • Triage and hunting ideas (schtasks query, artifact paths, process chains)
  • Account-takeover abuse of Google Find My Device (Find Hub) to repeatedly wipe Android devices and suppress notifications (concise attacker steps + defensive notes)

References updated

• Added at the end of the file:
  • Genians blog post
  • Google Find My Device link
  • ASEC RftRAT analysis
  • HMAC reference

File modified

• src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md

Reasoning for placement

• The material is malware delivery/persistence/loader tradecraft with defender triage and reversing notes; it best fits the Basic Forensic Methodology → Malware Analysis page. No other page contained AutoIt .a3x loader decryption/injection specifics or the Task Scheduler masquerade pattern, and the “phishing/clipboard hijacking” page only briefly mentions AutoIt without any analysis content.

No other files needed updating, and no duplicate content existed.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 907
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.genians.co.kr/en/blog/threat_intelligence/android

Content Categories: Based on the analysis, this content was categorized under "Basic Forensic Methodology -> Malware Analysis (AutoIt loaders, a3x decryption/injection, and Scheduled Tasks persistence masquerade)".

Repository Maintenance:

• MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge