Honeybee

Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. [1]

ID: G0072
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1182 AppCert DLLs Honeybee's service-based DLL implant can execute a downloaded file with parameters specified using CreateProcessAsUser.[1]
Enterprise T1020 Automated Exfiltration Honeybee performs data exfiltration is accomplished through the following command-line command: from (- --).txt.[1]
Enterprise T1088 Bypass User Account Control Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.[1]
Enterprise T1116 Code Signing Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.[1]
Enterprise T1059 Command-Line Interface Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.[1]
Enterprise T1002 Data Compressed Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1]
Enterprise T1022 Data Encrypted Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1]
Enterprise T1005 Data from Local System Honeybee collects data from the local victim system.[1]
Enterprise T1074 Data Staged Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.[1]
Enterprise T1083 File and Directory Discovery Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.[1]
Enterprise T1107 File Deletion Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.[1]
Enterprise T1031 Modify Existing Service Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL.[1]
Enterprise T1112 Modify Registry Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.[1]
Enterprise T1027 Obfuscated Files or Information Honeybee drops files with base64-encoded data.[1]
Enterprise T1057 Process Discovery Honeybee gathers a list of processes using the tasklist command and then is sent back to the control server.[1]
Enterprise T1055 Process Injection Honeybee uses a batch file to load a DLL into the svchost.exe process.[1]
Enterprise T1060 Registry Run Keys / Startup Folder Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.[1]
Enterprise T1064 Scripting Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened. The actors also used batch scripting.[1]
Enterprise T1035 Service Execution Honeybee launches a DLL file that gets executed as a service using svchost.exe[1]
Enterprise T1071 Standard Application Layer Protocol Honeybee uses FTP for command and control.[1]
Enterprise T1082 System Information Discovery Honeybee gathers computer name and information using the systeminfo command.[1]

Software

ID Name References Techniques
S0106 cmd [1] Command-Line Interface, File and Directory Discovery, File Deletion, Remote File Copy, System Information Discovery
S0075 Reg [1] Credentials in Registry, Modify Registry, Query Registry
S0096 Systeminfo [1] System Information Discovery
S0057 Tasklist [1] Process Discovery, Security Software Discovery, System Service Discovery

References