Two Android spyware strains named Hornbill and SunBird were recently discovered with possible connections to the advanced persistent threat (APT) group called Confucius. The group first appeared in 2013 as a hacking group, primarily pursuing Pakistani and other South Asian targets. Confucius has created mainly Windows malware in the past. However, after the spying app ChatSpy came into existence in 2017, the group has extended its mobile malware capabilities.
The two Android malware strains, Hornbill and SunBird, are embedded inside fake Android applications and used as spyware for monitoring and exfiltrating data from the mobile phones of their targets. These fake Android applications were used to spy on Pakistan’s military and nuclear authorities, along with election officials from Kashmir. The counterfeit apps contain advanced capabilities, including capturing photos from the camera, capturing the geolocation, scraping WhatsApp messages and media, and requesting elevated privileges. The data is first collected in SQLite databases, compressed to ZIP files and uploaded to the hacker’s C2 servers.
Counterfeit applications published by the APT group mimic various genuine-looking applications. The SunBird strain has been embedded into fake applications with legitimate-looking names such as “Google Security Framework,” “Falconry Connect,” “Mania Soccer,” and “Quran Majeed.” According to security researchers at Lookout, apps embedded with SunBird have more extensive malicious capabilities than Hornbill.
While Hornbill works as spyware used to extract data of interest from the target device, SunBird additionally works as a remote access trojan (RAT), allowing hackers to execute commands on an infected device. Both malware programs can exfiltrate a wide range of data from target devices.
Data exfiltrated by Hornbill and SunBird:
- Call logs
- Contacts
- Device metadata, including phone number, IMEI/Android ID, model and manufacturer, and Android version details
- Geolocation
- Images stored on external storage
- WhatsApp voice notes, if installed
Actions performed on target devices:
- Requesting device administrator privileges
- Taking screenshots and capturing whatever a victim is currently viewing on their device
- Taking photos with the device camera
- Recording environment and call audio
- Scraping WhatsApp messages, contacts, and notifications via accessibility services
The SunBird malware consists of certain additional malicious capabilities when compared with Hornbill. The additional data exfiltrated by SunBird includes:
- List of installed applications
- Browser history
- Calendar information
- BlackBerry Messenger (BBM) audio files, documents, and images
- WhatsApp Audio files, documents, databases, voice notes, and images
- Content sent and received via IMO instant messaging application
Additional actions performed by SunBird include:
- Downloading attacker-specified content from FTP shares
- Running arbitrary commands as root, if possible
- Scraping BBM messages, contacts, and notifications via accessibility services
The Confucius APT malware campaign involves social engineering tactics for luring unsuspecting targets to download these applications from direct links. Multiple malicious applications with the SunBird and Hornbill strains are hosted on third-party app stores. Apps embedded with the Hornbill strain are more passive in nature, target a limited set of data, and are used as a reconnaissance tool. The malware only uploads data to the C2 server when it runs for the first time on the infected device. Hornbill keeps mobile internet and battery usage low by only uploading new data from target devices. On the other hand, the SunBird strain uploads data in fixed intervals. Hornbill actors seem more interested in monitoring the user’s WhatsApp activity, and Hornbill abuses the Android accessibility services to detect an active WhatsApp call and record it.
Researchers believe that the same threat actor is behind both the malware, and neither of these apps were distributed via Google Play or any authorized app stores.
Possible targets of the campaign and exfiltrated data
Security researchers were able to get access to 18GB of exfiltrated data exposed on insecurely configured C2 servers of the SunBird malware. The data also included the location of the infected devices, which helped researchers determine the possible targets of this malware campaign. Some of the targets identified included individuals related to Pakistan Air Force (PAF), Pakistan Atomic Energy Commission, and other departments.
The data exfiltrated by SunBird included information such as SMS messages, contacts, and call logs uploaded at fixed intervals.
Connection to Confucius APT
Similar to fake Android applications, the Confucius APT group also targets Windows systems. We analyzed a Confucius malware sample and observed that the attack kill chain starts with a word document delivered to the target. The document is crafted in a way that encourages the target to open that document. Once the user opens the document, it uses template injection to download the RTF exploit that downloads the final stage payload.
The RTF contains a DLL embedded in an OLE object, as shown in the image below.
The embedded DLL file, bing.dll (SHA-256: 8b535452727edf06280c495b190c10eb0a90522fad1c61cae8bfeef9b84a4879) contains an export “mark” and is responsible for downloading the payload. The name of the released .dll file is linknew.dll.
The malware also checks for the presence of a debugger and whether it is being executed in a virtual environment. The malicious bing.dll connects to “hxxp://mlservices.online/content/upgrade” to download the payload file. An LNK file named update.lnk and pointing to the payload file update.exe is dropped to the startup folders – “%AppData%Microsoft\Windows\Start Menu\Programs\Startup” – for adding persistence. After dropping the payload, it runs in the background and performs spyware activities similar to Hornbill and SunBird. We are sharing indicators of compromise (IOCs) related to Confucius windows malware and fake Android applications.
Security recommendations
- Ensure antivirus software and associated files are up to date
- Search for existing signs of the indicated IOCs in your environment
- Consider blocking or setting up detection for all URL and IP-based IOCs
- Download applications from official app stores, such as Google Play Store and Apple App Store
- Avoid websites providing bootleg Android APKs and iOS APPs
- Keep applications and operating systems running at the current released patch level
- Exercise caution while opening attachments and links in emails
- Keep systems fully patched to mitigate vulnerabilities effectively
Indicators of compromise
| SHA-1 Hashes |
| Hornbill |
| b6b239ccef57a261a254f5167357dc9096618939 |
| 1f1bab3c5a60275384083ef9e2a5b9fe6c194a35 |
| 704579a14a2ee80c89ad12019e19e50eb27dffea |
| 3372458b73d3d5c3957a75dfe6cff62c5cd3cd4f |
| 77867ddb68b68a340ccdb79bd9d46281d5956fa5 |
| c504cef5e0e04b15d21388e6f9cc2c320071d50b |
| 0cc49097778372fdf1ba2143e31a8f235342f9c9 |
| SunBird |
| 9b684cff07f98083bdb085cb846929ebca2c3df1 |
| 2ecb5b88b12ba44cfce2f51df7f16fbd4754aea2 |
| 665d23eda84cd008ccde013bde6a836976bcc4fc |
| a38931d68b26f04a94241f2155bcbf465b3fa99a |
| df5188225ab6de0a6e71635e997c4473c02d6527 |
| e01729e5ceb827318e5198a24a12ae6d6bbc4ab3 |
| 8ae67888befb4f01f216d94f07051fc047150ceb |
| 41268c45dc2453469ea8a0a0c615bdb562d1d9de |
| a4161cfe2d6146566094ee979ea893cd2fe3ae72 |
| 03d199cff2be8667932933d1bcb6bb58d364545a |
| fc2929a021ca1e83f0d87ca9c9c85df0057373e5 |
| a6128100cd9c505e12af16a163d4fea35c42808a |
| 6b75e6df7744a232a350658ad06e9574483a0b8b |
| be524a5a42b4b3f48f5571311f9be683024b6939 |
| SHA-256 Hashes – Confucius |
| 8b535452727edf06280c495b190c10eb0a90522fad1c61cae8bfeef9b84a4879 |
| 8ecf1c276e10e3f3e9f7bc9e728fde9abea23348a2af6ce70269008d632a412d |
| 3ce48f371129a086935b031333387ea73282bda5f22ff78c85ee7f0f5e4625fe |
| 1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126 |
| 07277c9f33d0ae873c2be3742669594acc18c7aa93ecadb8b2ce9b870baceb2f |
| ea52d6358d53fc79e1ab61f64cb77bb47f773f0aa29223b115811e2f339e85f5 |
| 686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424 |
| 2f5fc653550b0b5d093427263b26892e3468e125686eb41206319c7060212c40 |
| b9b5a9fa0ad7f802899e82e103a6c2c699c09390b1a79ae2b357cacc68f1ca8e |
| 4500851dad1ac87165fc938fe5034983c10423f800bbc2661741f39e43ab8c8d |
| a3cd781b14d75de94e5263ce37a572cdf5fe5013ec85ff8daeee3783ff95b073 |
| 59ccfff73bdb8567e7673a57b73f86fc082b0e4eeaa3faf7e92875c35bf4f62c |
| 59cd62ad204e536b178db3e2ea10b36c782be4aa4849c10eef8484433a524297 |
| Command and Control Infrastructure |
| Hornbill |
| pieupdate[.]online |
| chatk.goldenbirdcoin[.]com |
| cucuchat[.]com |
| 184.154.203[.]90 |
| 69.175.35[.]98 |
| samaatv[.]online |
| tea-time[.]link |
| SunBird |
| data10.000webhostapp[.]com |
| global134.000webhostapp[.]com |
| wixten.000webhostapp[.]com |
| sunshinereal.000webhostapp[.]com |
| 23.82.19[.]250 |
| Confucius |
| Mlservices[.]online |
| msoffice.user-assist[.]site |
| msoffice.user-assist[.]site |
| Wordupdate[.]com |
| http://wordupdate[.]com/refresh/content |
| http://mlservices[.]online/content/upgrade |
| http://wordupdate[.]com/recent/update |
About Cyble
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
