The two malware people have sophisticated abilities to exfiltrate SMS messages, WhatsApp messaging written content and geolocation.
Researchers have uncovered two novel Android surveillanceware family members staying made use of by an superior persistent risk (APT) team to goal armed service, nuclear and election entities in Pakistan and Kashmir.
The two malware people, which researchers simply call “Hornbill” and “SunBird,” have sophisticated capabilities to exfiltrate SMS messages, encrypted messaging application content and geolocation, as well as other kinds of sensitive information.
Researchers to start with saw Hornbill as early as May well 2018, with newer samples of the malware rising on December 2020. They said the first Sunbird sample dates again to 2017 and was past seen active on December 2019.
“Hornbill and SunBird have both of those similarities and dissimilarities in the way they work on an contaminated machine,” stated Apurva Kumar, team security intelligence engineer, and Kristin Del Rosso, senior security intelligence researcher, with Lookout, on Thursday. “While SunBird attributes distant access trojan (RAT) features – a malware that can execute commands on an infected system as directed by an attacker – Hornbill is a discreet surveillance device employed to extract a selected set of knowledge of curiosity to its operator.”
Malware Attack Focusing on Army, Nuclear, Election Entities
The malware strains were being found in attacks focusing on staff joined to Pakistan’s military and many nuclear authorities, and Indian election officials in Kashmir. Kashmiris are a Dardic ethnic team indigenous to the disputed Kashmir Valley (and a earlier concentrate on for other Android malware menace actors).
“While the precise selection of victims is not recognised throughout all strategies for SunBird and Hornbill, at minimum 156 victims had been discovered in a single campaign for Sunbird in 2019 and provided phone numbers from India, Pakistan, and Kazakhstan,” Kumar instructed Threatpost. “According to the publicly exposed exfiltrated info we were equipped to obtain, folks in at least 14 various countries were focused.”
For instance, attackers targeted an personal who applied for a posture at the Pakistan Atomic Strength Fee, persons with a lot of contacts in the Pakistan Air Force, as nicely as officers liable for electoral rolls located in the Pulwama district of Kashmir.
In regards to the first attack vectors for the malware samples, scientists pointed to samples of SunBird identified hosted on 3rd-party app stores, furnishing a clue for a person attainable distribution mechanism. However, scientists have not however located SunBird on the formal Google Engage in marketplace.
SunBird has been disguised as purposes this kind of as security products and services (which includes a fictional “Google Security Framework”), applications tied to precise locations (like “Kashmir News”) or actions (“including “Falconry Connect” or “Mania Soccer”). Scientists mentioned the the greater part of these purposes seem to target Muslim men and women. Meanwhile, Hornbill applications impersonate different chat (these as Fruit Chat, Cucu Chat and Kako Chat) and program applications.
“Considering quite a few of these malware samples are trojanized – as in they comprise finish user features – social engineering may well also play a aspect in convincing targets to set up the malware,” reported Kumar and Del Rosso. “No use of exploits was observed instantly by Lookout researchers.”
Malware Cybersecurity Surveillance Capabilities
Equally malware family members have a extensive range of details exfiltration capabilities. They are in a position to acquire get in touch with logs, contacts, machine metadata (such as phone quantities, models, suppliers and Android operating program version), geolocation, visuals stored on exterior storage and WhatsApp voice notes.
In addition, both households can request device administrator privileges, get screenshots of no matter what victims are at the moment viewing on their devices, get photos with the unit digicam, report setting and simply call audio and scrape WhatsApp information and contacts and WhatsApp notifications (via the Android accessibility support characteristic).
SunBird has a additional intensive established of destructive functionalities than Hornbill, with the skill to add all data at common intervals to its C2 servers. For instance, SunBird can also accumulate a record of put in programs on the victims’ gadgets, browser heritage, calendar information, WhatsApp Audio information, documents, databases and photos and extra. And, it can operate arbitrary commands as root or obtain attacker-specified content from FTP shares.
“In contrast, Hornbill is more of a passive reconnaissance device than SunBird,” stated Kumar and Del Rosso. “Not only does it focus on a restricted set of facts, the malware only uploads data when it in the beginning operates and not at common intervals like SunBird. Right after that, it only uploads variations in info to retain cell facts and battery utilization reduced.”
Scientists named Hornbill just after the Indian Grey Hornbill, which is the condition hen of Chandigarh in India, the place they think the developers of Hornbill are positioned. SunBird’s title, in the meantime, stemmed from the destructive expert services within just the malware termed “SunService” – and the sunbird is also indigenous to India, they stated.
Condition-Sponsored APT Guiding The Cyberattack
The malware households have been linked “with significant confidence” to the APT Confucius. This APT has been on the cybercrime scene given that 2013 as a point out-sponsored, pro-India actor. The APT has beforehand focused victims in Pakistan and South Asia.
“We are confident SunBird and Hornbill are two instruments used by the exact same actor, maybe for diverse surveillance applications,” mentioned Kumar and Del Rosso.
Threatpost WEBINAR: Is your modest- to medium-sized small business an uncomplicated mark for attackers? Save your location for “15 Cybersecurity Gaffes SMBs Make,” a Free Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals rely on you producing these faults, but our experts will assistance you lock down your compact- to mid-sized business like it was a Fortune 100. Sign up NOW for this Stay webinar on Wed., Feb. 24.
Some elements of this report are sourced from: