Skip to content

Hide Navigation Hide TOC

Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1)

Hornbill is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Hornbill was first active in early 2018. While Hornbill and Sunbird overlap in core capabilities, Hornbill has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)

Cluster A Galaxy A Cluster B Galaxy B Level
File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 1
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 1
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63) Attack Pattern 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern 1
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08) Attack Pattern Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware 1
Hornbill - S1077 (15d78a95-af6a-4b06-8dae-76bedb0ec5a1) Malware Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern 1
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 2
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 2
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 2
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern 2
Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3) Attack Pattern Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 2
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d) Attack Pattern File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63) Attack Pattern 2
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08) Attack Pattern Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f) Attack Pattern 2