This actor, DoNot, recently started using a new malware loader we're calling "Firestarter." Our research revealed that DoNot has been experimenting with new techniques to keep a foothold on their victim machines. The region of Kashmir is under ongoing disputes from India, China and Pakistan about its ownership. The DoNot team is known for targeting Kashmiri non-profit organizations and Pakistani government officials. This should be another warning sign to folks in geo-politically "hot" regions that it is entirely possible that you can become a victim of a highly motivated group. So what? Innovation across APT Groups is not unheard of and this shouldn't come as a huge surprise that a group continues to modify their operations to ensure they are as stealth as can be. This ensures only very specific devices are delivered the malicious payload. This malicious app then contains additional malicious code which attempts to download a payload based on information obtained from the compromised device. How did it work? Users are lured to install a malicious app on their mobile device. They are using a legitimate service within Google's infrastructure which makes it harder for detection across a users network. What's new? The DoNot APT group is making strides to experiment with new methods of delivery for their payloads.
The approach in the final payload upload denotes a highly personalized targeting policy. The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location.Įven if the command and control (C2) is taken down, the DoNot team can still redirect the malware to another C2 using Google infrastructure.
By Warren Mercer, Paul Rascagneres and Vitor Ventura.
0 kommentar(er)
