Even though the malicious actors still need a command and control (C2) infrastructure, the hardcoded one is only needed at installation time, afterwards it can be discarded and easily replaced by another one.
This communication channel is encrypted and mixed among other communications performed by Android Operating System with the Google infrastructure, DoNot team is hiding part of their traffic among legitimate traffic. This reduces the likelihood that researchers will access it.ĭoNot is now leveraging Google Firebase Cloud Messaging (Google FCM) as a mandatory communication channel with the malware. The same experiments also showed the capability of keeping their operations stealthy as now they have the capability to decide which infections receive the final payload based on geographical and personal identification criteria. These experiments, substantiated in the Firestarter loader, are a sign of how determined they are to keep their operations despite being exposed, which makes them a particularly dangerous actor operating in the espionage area. This actor, DoNot, recently started using a new malware loader we're calling "Firestarter." Our research revealed that DoNot has been experimenting with new techniques to keep a foothold on their victim machines. The region of Kashmir is under ongoing disputes from India, China and Pakistan about its ownership. The DoNot team is known for targeting Kashmiri non-profit organizations and Pakistani government officials. This should be another warning sign to folks in geo-politically "hot" regions that it is entirely possible that you can become a victim of a highly motivated group. So what? Innovation across APT Groups is not unheard of and this shouldn't come as a huge surprise that a group continues to modify their operations to ensure they are as stealth as can be. This ensures only very specific devices are delivered the malicious payload. This malicious app then contains additional malicious code which attempts to download a payload based on information obtained from the compromised device. How did it work? Users are lured to install a malicious app on their mobile device. They are using a legitimate service within Google's infrastructure which makes it harder for detection across a users network. What's new? The DoNot APT group is making strides to experiment with new methods of delivery for their payloads. The approach in the final payload upload denotes a highly personalized targeting policy. The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location.Įven if the command and control (C2) is taken down, the DoNot team can still redirect the malware to another C2 using Google infrastructure. By Warren Mercer, Paul Rascagneres and Vitor Ventura.
0 kommentar(er)
