Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)

Hornbill is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Hornbill was first active in early 2018. While Hornbill and Sunbird overlap in core capabilities, Hornbill has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	1
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2
Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	2
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2