Avatar
  • The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location.
  • Even if the command and control (C2) is taken down, the DoNot team can still redirect the malware to another C2 using Google infrastructure.
  • The approach in the final payload upload denotes a highly personalized targeting policy.

What’s new? The DoNot APT group is making strides to experiment with new methods of delivery for their payloads. They are using a legitimate service within Google’s infrastructure which makes it harder for detection across a users network.

How did it work? Users are lured to install a malicious app on their mobile device. This malicious app then contains additional malicious code which attempts to download a payload based on information obtained from the compromised device. This ensures only very specific devices are delivered the malicious payload.

So what? Innovation across APT Groups is not unheard of and this shouldn’t come as a huge surprise that a group continues to modify their operations to ensure they are as stealth as can be. This should be another warning sign to folks in geo-politically “hot” regions that it is entirely possible that you can become a victim of a highly motivated group.

Read more >>>



Authors

Talos Group

Talos Security Intelligence & Research Group