Skip to content

Hide Navigation Hide TOC

Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)

Hornbill is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Hornbill was first active in early 2018. While Hornbill and Sunbird overlap in core capabilities, Hornbill has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)

Cluster A Galaxy A Cluster B Galaxy B Level
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63) Attack Pattern 1
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern 1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern 1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 1
Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f) Attack Pattern User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08) Attack Pattern 2
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern 2
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d) Attack Pattern File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63) Attack Pattern 2
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern 2
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d) Attack Pattern System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 2
Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3) Attack Pattern Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 2