A recent report reveals that Google’s Firebase Cloud Messaging server is being abused by the DoNot APT threat group as a command and control mechanism.
The malware is called “Firestarter” and is utilized with the FCM service, targeting the Firebase service, which turns out to be one of Google’s subsidiaries. There have been previous reports of the service being targeted in the past by cybercriminals.
However, the attack method for this one is different, according to the report. The loader makes use of it as a communication system to link up with the command and control servers of the DoNot threat actors, which avoids detection and helps the threat actors’ activities.
Cisco researchers have provided some details about the attack and how the threat actors have been operating.
“Our research revealed that DoNot has been experimenting with new techniques to keep a foothold on their victim machines,” Cisco researchers said.
They further revealed that the experiment carried out in the Firestarter loader is evidence to show how determined the threat actors are to continue their operations despite being exposed . Their determination makes them a very dangerous group of threat actors operating in the cyber espionage area, the researchers reiterated.
The researchers said the DoNot team has always prioritized Pakistan and India as their operational areas. The group is known for its targets on Kashmiri non-profit organizations as well as Pakistani government officials.
Users are deceived into installing a malicious app on their mobile devices by sending direct messages through social engineering. According to the researchers, the malicious mail carries the filename Kashmir_Voice_v4.8.apk or kashmir_sample, which has been given much importance in Pakistan, India, and the Kashmir crisis.
The app is sent to the users to deceive them it offers a chat platform, while in the real sense, it’s attached with malware that can creep into the users’ device when it’s open.
Once the user downloads and installs the app, they will receive a message telling them that chat is loading and the app does not support the device, and the app is about uninstalling from the device.
The message is to make the user believe the app is clean and there is no malicious element in it. After the installation message is shown, the app’s icon disappears from the user interface, although it’s still present in the application list on the device’s settings. While running in the background, the malicious app tries downloading a payload using FCM.
The FCM implementation has two major components that send and receive messages. The components include a web, Android, or iOS client app that receives messages; and an app server that builds and sends messages via the platform-specific transport service.
Here, the app sends a Google FCM token to the C2 server with various device info, including the IMEI, IP address, email address, as well as geographical location.
It then leaves the decision to the operators to deceive sending the payload to the victim. The researchers said it ensures only some specified devices are sent the malicious payload.
The C2 then delivers the Google FCM message that contains the URL for the malware to download the payload. After receiving the message, the malware verifies whether it contains a key known as “link,” and once it finds the file, it checks whether it begins with https. Afterward, it makes use of the link to download the payload via a hosting server .
The researchers noted that the Google FCM communications channel is encrypted, which enables it to stay under the radar.
But what makes the DoNot threat group stay under the radar for long is the fact that the team hides part of their traffic among legitimate traffic, as the researchers have observed.
However, the final payload doesn’t mix up in the Android application, which makes it even harder for analysts and security teams to dissect it, making it even more difficult to detect the malware, the security researchers reiterated.