Honeybee

Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. [1]

ID: G0072
Version: 1.1
Created: 17 October 2018
Last Modified: 16 April 2020

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Access Control

Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.[1]

Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

Honeybee uses FTP for command and control.[1]

Enterprise T1560 Archive Collected Data

Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1]

Enterprise T1020 Automated Exfiltration

Honeybee performs data exfiltration is accomplished through the following command-line command: from (- --).txt.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.[1]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.[1] Honeybee used batch scripting.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL.[1]

Enterprise T1005 Data from Local System

Honeybee collects data from the local victim system.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.[1]

Enterprise T1546 .009 Event Triggered Execution: AppCert DLLs

Honeybee's service-based DLL implant can execute a downloaded file with parameters specified using CreateProcessAsUser.[1]

Enterprise T1083 File and Directory Discovery

Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.[1]

Enterprise T1112 Modify Registry

Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.[1]

Enterprise T1027 Obfuscated Files or Information

Honeybee drops files with base64-encoded data.[1]

Enterprise T1057 Process Discovery

Honeybee gathers a list of processes using the tasklist command and then is sent back to the control server.[1]

Enterprise T1055 Process Injection

Honeybee uses a batch file to load a DLL into the svchost.exe process.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.[1]

Enterprise T1082 System Information Discovery

Honeybee gathers computer name and information using the systeminfo command.[1]

Enterprise T1569 .002 System Services: Service Execution

Honeybee launches a DLL file that gets executed as a service using svchost.exe[1]

Software

ID Name References Techniques
S0106 cmd

[1]

Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, System Information Discovery
S0075 Reg

[1]

Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry
S0096 Systeminfo

[1]

System Information Discovery
S0057 Tasklist

[1]

Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery

References