11 February 21, 13:15
Quote:Researchers have uncovered two novel Android surveillanceware families being used by an advanced persistent threat (APT) group to target military, nuclear and election entities in Pakistan and Kashmir.
The two malware families, which researchers call “Hornbill” and “SunBird,” have sophisticated capabilities to exfiltrate SMS messages, encrypted messaging app content and geolocation, as well as other types of sensitive information.
Researchers first saw Hornbill as early as May 2018, with newer samples of the malware emerging on December 2020. They said the first Sunbird sample dates back to 2017 and was last seen active on December 2019.
“Hornbill and SunBird have both similarities and differences in the way they operate on an infected device,” said Apurva Kumar, staff security intelligence engineer, and Kristin Del Rosso, senior security intelligence researcher, with Lookout, on Thursday. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.”
The malware strains were seen in attacks targeting personnel linked to Pakistan’s military and various nuclear authorities, and Indian election officials in Kashmir. Kashmiris are a Dardic ethnic group native to the disputed Kashmir Valley (and a previous target for other Android malware threat actors).
“While the exact number of victims is not known across all campaigns for SunBird and Hornbill, at least 156 victims were identified in a single campaign for Sunbird in 2019 and included phone numbers from India, Pakistan, and Kazakhstan,” Kumar told Threatpost. “According to the publicly exposed exfiltrated data we were able to find, individuals in at least 14 different countries were targeted.”
Read more: https://threatpost.com/military-nuclear-...re/163830/