{"id":1244,"date":"2020-11-09T14:17:04","date_gmt":"2020-11-09T14:17:04","guid":{"rendered":"https:\/\/tomcatorange.com\/cat\/?p=1244"},"modified":"2022-11-17T22:23:54","modified_gmt":"2022-11-17T22:23:54","slug":"firestarter-android-malware-abuses-google-firebase-cloud-messaging","status":"publish","type":"post","link":"https:\/\/tomcatorange.com\/new\/2020\/11\/09\/firestarter-android-malware-abuses-google-firebase-cloud-messaging\/","title":{"rendered":"Firestarter Android Malware Abuses Google Firebase Cloud Messaging"},"content":{"rendered":"<h5 class=\"jsx-4052881089 v2-h1\">Firestarter Android Malware Abuses Google Firebase Cloud Messaging<\/h5>\n<div class=\"c-article__intro\">\n<div class=\"c-article__intro\">\n<p>The DoNot APT threat group is leveraging the legitimate Google Firebase Cloud Messaging server as a command-and-control (C2) communication mechanism.<\/p>\n<\/div>\n<div class=\"c-article__content js-reading-content\">\n<p>An APT group is starting fires with a new Android malware loader, which uses a legitimate Google messaging service to bypass detection.<\/p>\n<p>The malware, dubbed\u00a0\u201cFirestarter,\u201d is used by an\u00a0<a href=\"https:\/\/www.netscout.com\/blog\/asert\/donot-team-leverages-new-modular-malware-framework-south-asia\" target=\"_blank\" rel=\"noopener noreferrer\">APT threat group called \u201cDoNot.\u201d<\/a>\u00a0DoNot uses Firebase Cloud Messaging (FCM), which is a cross-platform cloud solution for messages and notifications for Android, iOS and web applications. The service is provided by Firebase, a subsidiary of Google, and\u00a0<a href=\"https:\/\/threatpost.com\/crooks-tap-google-firebase-in-fresh-phishing-tactic\/155967\/\" target=\"_blank\" rel=\"noopener noreferrer\">has been previously leveraged by<\/a>\u00a0cybercriminals.<\/p>\n<p>In this case, the loader uses it as a communication mechanism to connect with DoNot\u2019s command-and-control (C2) servers, helping the group\u2019s activities avoid detection.<\/p>\n<\/div>\n<\/div>\n<p>\u201cOur research revealed that DoNot has been experimenting with new techniques to keep a foothold on their victim machines,\u201d according to researchers with Cisco Talos <a href=\"https:\/\/blog.talosintelligence.com\/2020\/10\/donot-firestarter.html\" target=\"_blank\" rel=\"noopener noreferrer\">in a Thursday analysis<\/a>. \u201cThese experiments, substantiated in the Firestarter loader, are a sign of how determined they are to keep their operations despite being exposed, which makes them a particularly dangerous actor operating in the espionage area.\u201d<\/p>\n<p>The DoNot team continues to focus on India and Pakistan, and is known for targeting Pakistani government officials and Kashmiri non-profit organizations (Kashmiris are a Dardic ethnic group native to the disputed Kashmir Valley).Article&#8217;s intro is courtesy of Threatpost<\/p>\n<p><a href=\"https:\/\/threatpost.com\/firestarter-android-malware-google-firebase-cloud\/160800\/\" target=\"_blank\" rel=\"noopener noreferrer\">Continue reading&#8230;<\/a><\/p>\n<p><a href=\"https:\/\/threatpost.com\/3-month-apple-hack-vulnerabilities-critical\/159988\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-884\" src=\"https:\/\/cybervigilant.co.uk\/wp-content\/uploads\/2019\/10\/threatpost.png\" alt=\"\" width=\"249\" height=\"113\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Firestarter Android Malware Abuses Google Firebase Cloud Messaging The DoNot APT threat group is leveraging the legitimate Google Firebase Cloud Messaging server as a command-and-control (C2)<span class=\"excerpt-hellip\"> [\u2026]<\/span><\/p>\n","protected":false},"author":2,"featured_media":137,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[9],"tags":[],"class_list":["post-1244","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud_security"],"acf":[],"_links":{"self":[{"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/posts\/1244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/comments?post=1244"}],"version-history":[{"count":2,"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/posts\/1244\/revisions"}],"predecessor-version":[{"id":2388,"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/posts\/1244\/revisions\/2388"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/media\/137"}],"wp:attachment":[{"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/media?parent=1244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/categories?post=1244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tomcatorange.com\/new\/wp-json\/wp\/v2\/tags?post=1244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}