Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)

Hornbill is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Hornbill was first active in early 2018. While Hornbill and Sunbird overlap in core capabilities, Hornbill has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)	Malware	1
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	2
Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	2
File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	2
Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3)	Attack Pattern	Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	2
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2