Skip to content

Hide Navigation Hide TOC

Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)

Sunbird is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Sunbird was first active in early 2017. While Sunbird and Hornbill overlap in core capabilities, Sunbird has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)

Cluster A Galaxy A Cluster B Galaxy B Level
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e) Attack Pattern 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 1
Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1) Attack Pattern Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c) Attack Pattern 2
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3) Attack Pattern Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2