Hornbill

Hornbill is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Hornbill was first active in early 2018. While Hornbill and Sunbird overlap in core capabilities, Hornbill has tools and behaviors suggesting more passive reconnaissance.^[1]

ID: S1077

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 09 June 2023

Last Modified: 07 October 2023

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Mobile	T1626	.001	Abuse Elevation Control Mechanism: Device Administrator Permissions	Hornbill can request device administrator privileges.^[1]
Mobile	T1517		Access Notifications	Hornbill has monitored for SMS and WhatsApp notifications.^[1]
Mobile	T1437	.001	Application Layer Protocol: Web Protocols	Hornbill can use HTTP and HTTP POST to communicate information to the C2.^[1]
Mobile	T1429		Audio Capture	Hornbill can record environmental and call audio.^[1]
Mobile	T1533		Data from Local System	Hornbill can access images stored on external storage.^[1]
Mobile	T1646		Exfiltration Over C2 Channel	Hornbill can exfiltrate data back to the C2 server using HTTP.^[1]
Mobile	T1420		File and Directory Discovery	Hornbill has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.^[1]
Mobile	T1628	.002	Hide Artifacts: User Evasion	Hornbill uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.^[1]
Mobile	T1630	.002	Indicator Removal on Host: File Deletion	Hornbill can delete locally gathered files after uploading them to the C2 to avoid suspicion.^[1]
Mobile	T1430		Location Tracking	Hornbill can access a device’s location and check if GPS is enabled. Hornbill has logic to only log location changes greater than 70 meters.^[1]
Mobile	T1655	.001	Masquerading: Match Legitimate Name or Location	Hornbill has impersonated chat applications such as Fruit Chat, Cucu Chat, and Kako Chat.^[1]
Mobile	T1636	.002	Protected User Data: Call Log	Hornbill can gather device call logs.^[1]
		.003	Protected User Data: Contact List	Hornbill can collect device contacts.^[1]
Mobile	T1513		Screen Capture	Hornbill can take screenshots and can abuse accessibility services to scrape WhatsApp messages, contacts, and notifications.^[1]
Mobile	T1418		Software Discovery	Hornbill can search for installed applications such as WhatsApp.^[1]
Mobile	T1409		Stored Application Data	Hornbill can collect voice notes and messages from WhatsApp, if installed.^[1]
Mobile	T1426		System Information Discovery	Hornbill can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.^[1]
Mobile	T1422		System Network Configuration Discovery	Hornbill can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.^[1]
		.001	Internet Connection Discovery	Hornbill can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.^[1]
		.002	Wi-Fi Discovery	Hornbill can collect a device's phone number and IMEI, and can check to see if Wi-Fi is enabled.^[1]
Mobile	T1512		Video Capture	Hornbill can access a device’s camera and take photos.^[1]

Groups That Use This Software

ID	Name	References
G0142	Confucius	^[1]

References

Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.

Hornbill

Mobile Layer

Techniques Used

Groups That Use This Software

References