1. Home
  2. Campaigns
  3. Operation Honeybee

Operation Honeybee

Operation Honeybee was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. Operation Honeybee initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.[1]

ID: C0006
First Seen:  August 2017 [1]
Last Seen:  February 2018 [1]
Version: 1.1
Created: 16 September 2022
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

During Operation Honeybee, the threat actors collected data from compromised hosts.[1]
Enterprise T1036 伪装

During Operation Honeybee, the threat actors modified the MaoCheng dropper so its icon appeared as a Word document.[1]
.005 Match Legitimate Name or Location

During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC.[1]

Enterprise T1112 修改注册表

During Operation Honeybee, the threat actors used batch files that modified registry keys.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

During Operation Honeybee, threat actors installed DLLs and backdoors as Windows services.[1]
Enterprise T1574 .011 劫持执行流: Services Registry Permissions Weakness

During Operation Honeybee, the threat actors used a batch file that modified the COMSysApp service to load a malicious ipnet.dll payload and to load a DLL into the svchost.exe process.[1]
Enterprise T1140 反混淆/解码文件或信息

During Operation Honeybee, malicious files were decoded prior to execution.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

During Operation Honeybee, various implants used batch scripting and cmd.exe for execution.[1]

.005 命令与脚本解释器: Visual Basic

For Operation Honeybee, the threat actors used a Visual Basic script embedded within a Word document to download an implant.[1]

Enterprise T1071 .002 应用层协议: File Transfer Protocols

During Operation Honeybee, the threat actors had the ability to use FTP for C2.[1]
Enterprise T1585 .002 建立账户: Email Accounts

During Operation Honeybee, attackers created email addresses to register for a free account for a control server used for the implants.[1]

Enterprise T1560 .001 归档收集数据: Archive via Utility

During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

During Operation Honeybee, stolen data was copied into a text file using the format From <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt prior to compression, encoding, and exfiltration.[1]
Enterprise T1083 文件和目录发现

During Operation Honeybee, the threat actors used a malicious DLL to search for files with specific keywords.[1]
Enterprise T1106 本机API

During Operation Honeybee, the threat actors deployed malware that used API calls, including CreateProcessAsUser.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

During Operation Honeybee, the threat actors used Base64 to encode files with a custom key.[1]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

During Operation Honeybee, the threat actors used the malicious NTWDBLIB.DLL and cliconfig.exe to bypass UAC protections.[1]
Enterprise T1204 .002 用户执行: Malicious File

During Operation Honeybee, threat actors relied on a victim to enable macros within a malicious Word document.[1]
Enterprise T1070 .004 移除指标: File Deletion

During Operation Honeybee, the threat actors used batch files that reduced their fingerprint on a compromised system by deleting malware-related files.[1]

Enterprise T1082 系统信息发现

During Operation Honeybee, the threat actors collected the computer name, OS, and other system information using cmd /c systeminfo > %temp%\ temp.ini.[1]
Enterprise T1569 .002 系统服务: Service Execution

During Operation Honeybee, threat actors ran sc start to start the COMSysApp as part of the service hijacking and sc stop to stop and reconfigure the COMSysApp.[1]
Enterprise T1583 .001 获取基础设施: Domains

During Operation Honeybee, threat actors registered domains for C2.[1]
.004 获取基础设施: Server

For Operation Honeybee, at least one identified persona was used to register for a free account for a control server.[1]

Enterprise T1588 .004 获取能力: Digital Certificates

For Operation Honeybee, the threat actors stole a digital signature from Adobe Systems to use with their MaoCheng dropper.[1]
Enterprise T1105 输入工具传输

During Operation Honeybee, the threat actors downloaded additional malware and malicious scripts onto a compromised host.[1]
Enterprise T1057 进程发现

During Operation Honeybee, the threat actors obtained a list of running processes on a victim machine using cmd /c tasklist > %temp%\temp.ini.[1]
Enterprise T1041 通过C2信道渗出

During Operation Honeybee, the threat actors uploaded stolen files to their C2 servers.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

During Operation Honeybee, the threat actors deployed the MaoCheng dropper with a stolen Adobe Systems digital signature.[1]

Software

ID Name Description
S0106 cmd

[1]

S0075 Reg

[1]

S0464 SYSCON

Operation Honeybee included the use of an upgraded version of SYSCON.[1]
S0096 Systeminfo

[1]

S0057 Tasklist

[1]

References

  1. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.