DoNot’s Firestarter Malware Abuses Google Firebase
The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location. This allows the malware authors to keep their C2 up and running using Google infrastructure, even if it taken down. The use of the legitimate service from Google’s infrastructure makes detection harder on a user’s network. Users are lured to install malware in the form of an app on their mobile device, which downloads a payload based on information obtained from the device. This ensures only certain devices get targeted, giving stealth to this malware campaign.
The DoNot group is known for targeting Kashmiri non-profit organizations and Pakastani government officials. The region, due to its hot geo-political climate and disputes involving China, India, and Pakistan over territorial ownership, plays a hand in regional cyber-crime. DoNot leverages the Google Firebase Cloud Messaging system (GFCM) as a mandatory communication platform among its malwares. Due to its encryption and shared communication with Android OS and Google infrastructure, they are hiding in legitimate traffic. The C2 server for the malware can always be replaced, thus taking down C2 servers are not a permanent fix. Only Google can effectively stop the malware by disabling FMC on the victim’s device. The malware is likely spread via direct messages Prevention can be done in the form of not downloading software from unknown sources and looking for initial C2 network traffic. For more a in depth technical writeup visit the link below.
Sources: