Honeybee
Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. [1]
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.[1] |
Enterprise | T1071 | .002 | Application Layer Protocol: File Transfer Protocols | |
Enterprise | T1560 | Archive Collected Data |
Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1] |
|
Enterprise | T1020 | Automated Exfiltration |
Honeybee performs data exfiltration is accomplished through the following command-line command: |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.[1] |
Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.[1] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.[1] Honeybee used batch scripting.[1] |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL.[1] |
Enterprise | T1005 | Data from Local System | ||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.[1] |
|
Enterprise | T1546 | .009 | Event Triggered Execution: AppCert DLLs |
Honeybee's service-based DLL implant can execute a downloaded file with parameters specified using |
Enterprise | T1083 | File and Directory Discovery |
Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.[1] |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.[1] |
Enterprise | T1112 | Modify Registry |
Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.[1] |
|
Enterprise | T1027 | Obfuscated Files or Information | ||
Enterprise | T1057 | Process Discovery |
Honeybee gathers a list of processes using the |
|
Enterprise | T1055 | Process Injection |
Honeybee uses a batch file to load a DLL into the svchost.exe process.[1] |
|
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.[1] |
Enterprise | T1082 | System Information Discovery |
Honeybee gathers computer name and information using the |
|
Enterprise | T1569 | .002 | System Services: Service Execution |
Honeybee launches a DLL file that gets executed as a service using svchost.exe[1] |