Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)
Platform | Tactic | Technique | Description | Data Sources |
---|---|---|---|---|
Windows | defense-evasion, privilege-escalation | Bypass User Account Control | Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking. | System calls, Process monitoring, Authentication logs, Process command-line parameters |
Linux, macOS, Windows | discovery | Process Discovery | Honeybee gathers a list of processes using the tasklist command and then is sent back to the control server. |
Process monitoring, Process command-line parameters |
Linux, macOS, Windows, AWS, GCP, Azure | collection | Data Staged | Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server. | File monitoring, Process monitoring, Process command-line parameters |
Windows | persistence, privilege-escalation | AppCert DLLs | Honeybee's service-based DLL implant can execute a downloaded file with parameters specified using CreateProcessAsUser . |
Loaded DLLs, Process monitoring, Windows Registry |
Windows | defense-evasion | Deobfuscate/Decode Files or Information | Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro. | File monitoring, Process monitoring, Process command-line parameters |
Windows | persistence | Modify Existing Service | Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL. | Windows Registry, File monitoring, Process monitoring, Process command-line parameters |
Linux, macOS, Windows | defense-evasion | File Deletion | Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection. | File monitoring, Process command-line parameters, Binary file metadata |
Linux, Windows, macOS | exfiltration | Data Compressed | Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server. | Binary file metadata, File monitoring, Process command-line parameters, Process monitoring |
Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Information Discovery | Honeybee gathers computer name and information using the systeminfo command. |
Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Process monitoring, Process command-line parameters |
Windows | persistence | Registry Run Keys / Startup Folder | Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence. | Windows Registry, File monitoring |
Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | Honeybee drops files with base64-encoded data. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |
Linux, macOS, Windows, GCP, AWS, Azure | collection | Data from Local System | Honeybee collects data from the local victim system. | File monitoring, Process monitoring, Process command-line parameters |
Windows | execution | Service Execution | Honeybee launches a DLL file that gets executed as a service using svchost.exe | Windows Registry, Process monitoring, Process command-line parameters |
Linux, macOS, Windows | discovery | File and Directory Discovery | Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords. | File monitoring, Process monitoring, Process command-line parameters |
Linux, macOS, Windows | command-and-control | Standard Application Layer Protocol | Honeybee uses FTP for command and control. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
Linux, macOS, Windows | exfiltration | Data Encrypted | Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server. | File monitoring, Process monitoring, Process command-line parameters, Binary file metadata |
Linux, macOS, Windows | exfiltration | Automated Exfiltration | Honeybee performs data exfiltration is accomplished through the following command-line command: from (- --).txt . |
File monitoring, Process monitoring, Process use of network |
Linux, macOS, Windows | defense-evasion, execution | Scripting | Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened. The actors also used batch scripting. | Process monitoring, File monitoring, Process command-line parameters |
Linux, macOS, Windows | execution | Command-Line Interface | Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint. | Process monitoring, Process command-line parameters |
Windows | defense-evasion | Modify Registry | Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process. | Windows Registry, File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
Linux, macOS, Windows | defense-evasion, privilege-escalation | Process Injection | Honeybee uses a batch file to load a DLL into the svchost.exe process. | API monitoring, Windows Registry, File monitoring, DLL monitoring, Process monitoring, Named Pipes |
macOS, Windows | defense-evasion | Code Signing | Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems. | Binary file metadata |