Firestarter Android Malware Threat Intel Advisory

Published on November 2nd, 2020 | 19:00 IST

Go back to Main page

Share this Advisory:

Malware
 Firestarter
Author
 DoNot 
Threat Actor Type
 APT
Platform
 Android

 

Authored by DoNot APT group, Firestarter is a new innovative malware found in the wild, spreading across Android devices. DoNot is known for targeting Kashmiri, Pakistani organizations and officials.

The malware uses Google’s Firebase Cloud Messaging (FCM) to disguise malicious traffic as a legitimate one, to evade detection.

Command & Control (C2) is established using FCM and as a result, it is difficult to take down C2 even after its detection. This is because threat actors can instruct the device to connect to a new C2 using the same FCM infrastructure. Only Google can make necessary steps to thwart this malware’s operation.

Malware Lifecycle

  1. Malware poses as a legitimate Android application and tricks users to install it.
  2. After the installation, the user’s identity and geolocation are sent to the C2, followed by the registration process whereby it obtains an FCM token.
  3. An FCM token is generated and sent to the C2.
  4. This FCM token is used to generate a malware link to download the payload.
    Threat actor uses details such as IP address, IMEI, email address, geolocation to decide which user should receive the payload.
  5. Firestarter now receives the link to the payload from Google FCM’s messaging infrastructure and downloads it using “https” to communicate with the hosting server securely.

Once the payload is successfully executed, it activates malicious services on the victim’s Android device. These are some malicious activities traced back to Firestarter:

  • Access call history
  • Access address book
  • Access SMSs
  • Access files on the SD card
  • Obtain user information
  • Obtain network information
  • Detect location of the device
  • Access installed applications
  • Steal browser information
  • Steal calendar information
  • Steal WhatsApp information
  • Keylogging

Impact

Technical 
  • Exfiltration of user data that comprises PII and credentials.
  • Unauthorized access to PED (Personal Electronic Device) enabling command execution and filesystem access to the attacker.
  • Leaking sensitive geographical information among other data like PII.
Business
  • Attackers can use PEDs as an initial foothold to carry out espionage and other illicit activities targeting organizations and individuals.
  • Malware can be used to further the attack into company infrastructure by stealing various user related sensitive data like emails, keylogs, messages, etc.

Mitigations

  • Ensure user awareness and cyber security hygiene 
  • Install mobile threat defense solutions/ EDRs

Indicators of Compromise

Filename

kashmir_sample.apk  

Kashmir_Voice_v4.8.apk

HASHES SHA2-256

b4c112d402c2555bea91d5c03763cfed87aa0fb0122558554c9a3bc7ac345990

69f257092947e003465f24b9b0b44d489e798bd5b8cf51f7e84bc161937b2e7c

a5cfb2de4ca0f27b012cb9ae56ceacc2351c9b9f16418406edee5e45d1834650

d0a597a24f9951a5d2e7cc71702d01f63ff2b914a9585dbab5a77c69af5d60b5

e7a24751bc009bbd917df71fd4815d1483f52669e8791c95de2f44871c36f7f4

86194d9cb948d61da919e238c48a01694c92836a89c6108730f5684129830541

8770515a5e974a59f023c4c71b0c772299578f1e386f60f9dd203b64e2e2d92e

a074aa746a420a79a38e27b766d122e8340f81221fe011f644d84ff9b511f29a

3d3f61d5406149fd8f2c018fbc842ccef2f645fc22f4e5702368131c1bd4e560

3d40fdc4dc550394884f0b4e38aa8a448f91f8e935c1b51fedc4b71394fa2366

83d174c65f1c301164683c163dab3ea79d56caeda1a4379a5a055723e1cb9d00

0c2494c03f07f891c67bb31390c12c84b0bb5eea132821c0873db7a87f27ccef

b583ae22c9022fb71b06ec1bae58d0d40338432b47d5733bf550972c5cb627c4

c4971a65af3693896fdbb02f460848b354251b28067873c043366593b8dbc6f9

fa85813a90a2d0b3fc5708df2156381fdb168919b57e32f81249f8812b20e00a

fde7ca904d9ae72ea7e242ee31f7fbaee963937341ca2863d483300828a4c6e0

0c2494c03f07f891c67bb31390c12c84b0bb5eea132821c0873db7a87f27ccef

192f699e6ce2cccb2c78397392f4d85566892d9c8cf7de1175feb4d58f97d815

e8605854c8730d2e80d8a5edd8bc83eb7c397a700255754ec9140b9717f7d467

2481f133dd3594cbf18859b72faa391a4b34fd5b4261b26383242c756489bf07

0c2494c03f07f891c67bb31390c12c84b0bb5eea132821c0873db7a87f27ccef

Domain

bulk[.]fun

inapturst[.]top

seahome[.]top

fif0[.]top

apkv6.endurecif[.]top

IP Address

178.62.188.181

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Subscribe now

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.

Discuss now