Thursday, March 28, 2024

Firestarter Malware Abuses Google Firebase Cloud Messaging Platform to Spread

The ‘Firestarter’ malware is used by an APT threat group called “DoNot”. DoNot uses Firebase Cloud Messaging (FCM), a cross-platform cloud solution for messages and notifications for AndroidiOS, and web applications, which currently can be used at no cost.

The service is provided by Firebase, a subsidiary of Google, and has been previously leveraged by cybercriminals.

The DoNot APT group is making strides to experiment with new methods of delivery for their payloads.

They are using a legitimate service within Google’s infrastructure which makes it harder for detection across users’ networks.

The Way It Works

Users are tempted to install a malicious app on their mobile device, likely done via direct messages that utilize social engineering, researchers said. The filename of those Android applications (kashmir_sample.apk or Kashmir_Voice_v4.8.apk) shows continued interest in India, Pakistan, and the Kashmir crisis.

Once the app, which purports to be a chat platform is downloaded and opened, users receive a message that chats are continually loading, the application is not supported, and uninstallation is ongoing (as shown in the sequence below). 

This is often a lure to make the victim believe that there was no malicious install, researchers said. Once the message of uninstallation is shown, the icon is removed from the user interface. 

In the background, however, the malicious app is attempting to download a payload using FCM. Now this malicious app contains additional malicious code that attempts to download a payload based on information obtained from the compromised device. 

 The figure above shows the malicious app purports to uninstall after download. Once the message of uninstallation is shown, the icon is removed from the user interface. The only way to detect the application is by checking the application list.

While the user is presented with the messages regarding the incompatibility, the malware makes the first contact with the command and control (C2) servers. 

It will send information regarding the victim’s identity and geolocation, both crucial for the next steps the operators will perform. The complete flow consists of six steps before the malware starts receiving commands from the C2 as shown below.

After getting the Google FMC token (Step 1) the operators have everything they need to send the Google FMC message containing the URL for the malware to download, geographic location, IP address, IMEI, and email address from the victims, allowing them to decide which victims should receive the payload.

The necessity for a New Loader

Better control of the compromised devices even if the C2 is down. This new loader has two important features for the attackers. 

First, it allows them to make a decision who receives the payload, having the ability to verify the victim before sending the payload. 

Thus, they will prevent the payload from falling into researchers’ or law enforcement’s hands. Second, it provides them with a strong off-band persistence mechanism.

If the C2 server is down, the DoNot team can still redirect the malware to a different new C2 or hosting location using Google infrastructure.

Downloading the payload

Since the ultimate payload is not embedded within the Android application, analysts can’t dissect it. This approach also makes detection harder. The code snippet below is responsible for downloading the payload.

As a conclusion, DoNot team used different configuration options to permit specially created features for their web server infrastructure and also ensured backward compatibility with previous versions of their malware. 

The DoNot team continues to emphasize India and Pakistan, and this malware further enforces that.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Firebase Vulnerability Leaks 100 Million Sensitive Records – 2300 Firebase Databases & 3,000 iOS and Android Apps Affected

Nearly 2 Million Android User Attacked by “FalseGuide” Malware in Google Play Store – Beware

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles