Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. [1]

ID: G0072
Version: 1.0

Techniques Used

EnterpriseT1182AppCert DLLsHoneybee's service-based DLL implant can execute a downloaded file with parameters specified using CreateProcessAsUser.[1]
EnterpriseT1020Automated ExfiltrationHoneybee performs data exfiltration is accomplished through the following command-line command: from (- --).txt.[1]
EnterpriseT1088Bypass User Account ControlHoneybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.[1]
EnterpriseT1116Code SigningHoneybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.[1]
EnterpriseT1059Command-Line InterfaceSeveral commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.[1]
EnterpriseT1002Data CompressedHoneybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1]
EnterpriseT1022Data EncryptedHoneybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1]
EnterpriseT1005Data from Local SystemHoneybee collects data from the local victim system.[1]
EnterpriseT1074Data StagedHoneybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationHoneybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.[1]
EnterpriseT1083File and Directory DiscoveryHoneybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.[1]
EnterpriseT1107File DeletionHoneybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.[1]
EnterpriseT1031Modify Existing ServiceHoneybee has batch files that modify the system service COMSysApp to load a malicious DLL.[1]
EnterpriseT1112Modify RegistryHoneybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.[1]
EnterpriseT1027Obfuscated Files or InformationHoneybee drops files with base64-encoded data.[1]
EnterpriseT1057Process DiscoveryHoneybee gathers a list of processes using the tasklist command and then is sent back to the control server.[1]
EnterpriseT1055Process InjectionHoneybee uses a batch file to load a DLL into the svchost.exe process.[1]
EnterpriseT1060Registry Run Keys / Startup FolderHoneybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.[1]
EnterpriseT1064ScriptingHoneybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened. The actors also used batch scripting.[1]
EnterpriseT1035Service ExecutionHoneybee launches a DLL file that gets executed as a service using svchost.exe[1]
EnterpriseT1071Standard Application Layer ProtocolHoneybee uses FTP for command and control.[1]
EnterpriseT1082System Information DiscoveryHoneybee gathers computer name and information using the systeminfo command.[1]


S0106cmd[1]Command-Line Interface, File and Directory Discovery, File Deletion, Remote File Copy, System Information Discovery
S0075Reg[1]Credentials in Registry, Modify Registry, Query Registry
S0096Systeminfo[1]System Information Discovery
S0057Tasklist[1]Process Discovery, Security Software Discovery, System Service Discovery