Operation Honeybee

Operation Honeybee was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. Operation Honeybee initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.[1]

ID: C0006
First Seen:  August 2017 [1]
Last Seen:  February 2018 [1]
Version: 1.1
Created: 16 September 2022
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

During Operation Honeybee, the threat actors used the malicious NTWDBLIB.DLL and cliconfig.exe to bypass UAC protections.[1]

Enterprise T1583 .001 Acquire Infrastructure: Domains

During Operation Honeybee, threat actors registered domains for C2.[1]

.004 Acquire Infrastructure: Server

For Operation Honeybee, at least one identified persona was used to register for a free account for a control server.[1]

Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

During Operation Honeybee, the threat actors had the ability to use FTP for C2.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

During Operation Honeybee, various implants used batch scripting and cmd.exe for execution.[1]

.005 Command and Scripting Interpreter: Visual Basic

For Operation Honeybee, the threat actors used a Visual Basic script embedded within a Word document to download an implant.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

During Operation Honeybee, threat actors installed DLLs and backdoors as Windows services.[1]

Enterprise T1005 Data from Local System

During Operation Honeybee, the threat actors collected data from compromised hosts.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

During Operation Honeybee, stolen data was copied into a text file using the format From <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt prior to compression, encoding, and exfiltration.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

During Operation Honeybee, malicious files were decoded prior to execution.[1]

Enterprise T1585 .002 Establish Accounts: Email Accounts

During Operation Honeybee, attackers created email addresses to register for a free account for a control server used for the implants.[1]

Enterprise T1041 Exfiltration Over C2 Channel

During Operation Honeybee, the threat actors uploaded stolen files to their C2 servers.[1]

Enterprise T1083 File and Directory Discovery

During Operation Honeybee, the threat actors used a malicious DLL to search for files with specific keywords.[1]

Enterprise T1574 .011 Hijack Execution Flow: Services Registry Permissions Weakness

During Operation Honeybee, the threat actors used a batch file that modified the COMSysApp service to load a malicious ipnet.dll payload and to load a DLL into the svchost.exe process.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

During Operation Honeybee, the threat actors used batch files that reduced their fingerprint on a compromised system by deleting malware-related files.[1]

Enterprise T1105 Ingress Tool Transfer

During Operation Honeybee, the threat actors downloaded additional malware and malicious scripts onto a compromised host.[1]

Enterprise T1036 Masquerading

During Operation Honeybee, the threat actors modified the MaoCheng dropper so its icon appeared as a Word document.[1]

.005 Match Legitimate Name or Location

During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC.[1]

Enterprise T1112 Modify Registry

During Operation Honeybee, the threat actors used batch files that modified registry keys.[1]

Enterprise T1106 Native API

During Operation Honeybee, the threat actors deployed malware that used API calls, including CreateProcessAsUser.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

During Operation Honeybee, the threat actors used Base64 to encode files with a custom key.[1]

Enterprise T1588 .004 Obtain Capabilities: Digital Certificates

For Operation Honeybee, the threat actors stole a digital signature from Adobe Systems to use with their MaoCheng dropper.[1]

Enterprise T1057 Process Discovery

During Operation Honeybee, the threat actors obtained a list of running processes on a victim machine using cmd /c tasklist > %temp%\temp.ini.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

During Operation Honeybee, the threat actors deployed the MaoCheng dropper with a stolen Adobe Systems digital signature.[1]

Enterprise T1082 System Information Discovery

During Operation Honeybee, the threat actors collected the computer name, OS, and other system information using cmd /c systeminfo > %temp%\ temp.ini.[1]

Enterprise T1569 .002 System Services: Service Execution

During Operation Honeybee, threat actors ran sc start to start the COMSysApp as part of the service hijacking and sc stop to stop and reconfigure the COMSysApp.[1]

Enterprise T1204 .002 User Execution: Malicious File

During Operation Honeybee, threat actors relied on a victim to enable macros within a malicious Word document.[1]

Software

References