S1082 Sunbird
Sunbird is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Sunbird was first active in early 2017. While Sunbird and Hornbill overlap in core capabilities, Sunbird has a more extensive set of malicious features.1
| Item | Value |
|---|---|
| ID | S1082 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 August 2023 |
| Last Modified | 07 October 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1626 | Abuse Elevation Control Mechanism | - |
| mobile | T1626.001 | Device Administrator Permissions | Sunbird can request device administrator privileges. 1 |
| mobile | T1532 | Archive Collected Data | Sunbird can exfiltrate collected data as a ZIP file.1 |
| mobile | T1429 | Audio Capture | Sunbird can record environmental and call audio.1 |
| mobile | T1623 | Command and Scripting Interpreter | - |
| mobile | T1623.001 | Unix Shell | Sunbird can try to run arbitrary commands as root.1 |
| mobile | T1533 | Data from Local System | Sunbird can access images stored on external storage.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | Sunbird can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.1 |
| mobile | T1544 | Ingress Tool Transfer | Sunbird can download adversary specified content from FTP shares.1 |
| mobile | T1430 | Location Tracking | Sunbird can access a device’s location.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.001 | Calendar Entries | Sunbird can exfiltrate calendar information.1 |
| mobile | T1636.002 | Call Log | Sunbird can exfiltrate call logs.1 |
| mobile | T1636.003 | Contact List | Sunbird can exfiltrate a device’s contacts.1 |
| mobile | T1513 | Screen Capture | Sunbird can take screenshots and abuse accessibility services to scrape BlackBerry Messenger and WhatsApp messages, contacts, and notifications1 |
| mobile | T1418 | Software Discovery | Sunbird can exfiltrate a list of installed applications.1 |
| mobile | T1409 | Stored Application Data | Sunbird can exfiltrate browser history, BlackBerry Messenger files, IMO instant messaging content, and WhatsApp voice notes.1 |
| mobile | T1426 | System Information Discovery | Sunbird can exfiltrate the victim device ID, model, manufacturer, and Android version.1 |
| mobile | T1422 | System Network Configuration Discovery | Sunbird can exfiltrate phone number and IMEI.1 |
| mobile | T1512 | Video Capture | Sunbird can access a device’s camera and take photos.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0142 | Confucius | 1 |