DoNot’s Firestarter abuses Google Firebase Cloud Messaging

[upnorth]

Content source

https://blog.talosintelligence.com/2020/10/donot-firestarter.html

The DoNot APT group is making strides to experiment with new methods of delivery for their payloads. They are using a legitimate service within Google's infrastructure which makes it harder for detection across a users network.

How did it work? Users are lured to install a malicious app on their mobile device. This malicious app then contains additional malicious code which attempts to download a payload based on information obtained from the compromised device. This ensures only very specific devices are delivered the malicious payload.

So what? Innovation across APT Groups is not unheard of and this shouldn't come as a huge surprise that a group continues to modify their operations to ensure they are as stealth as can be. This should be another warning sign to folks in geo-politically "hot" regions that it is entirely possible that you can become a victim of a highly motivated group.

DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread

By Warren Mercer, Paul Rascagneres and Vitor Ventura. * The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location. * Even if the command and control (C2) is taken down, the DoNot team can still redirect the malware to...

blog.talosintelligence.com

 

[Ink]

This is human nature.

Unfortunately.

 

[upnorth]

Google does indeed produce effective products and services. I can fully understand why this one has been picked up by malicious groups.

Firebase Cloud Messaging

Firebase Cloud Messaging (FCM) is a cross-platform messaging solution that lets you reliably send messages at no cost.

firebase.google.com