{"id":84860,"date":"2018-03-02T05:00:10","date_gmt":"2018-03-02T13:00:10","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=84860"},"modified":"2025-06-02T20:38:01","modified_gmt":"2025-06-03T03:38:01","slug":"mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups\/","title":{"rendered":"McAfee Uncovers Operation Honeybee, a Malicious Campaign Targeting Humanitarian Aid Groups"},"content":{"rendered":"

This post was written with contributions from Jessica Saavedra-Morales, Thomas Roccia, and Asheer Malhotra.\u00a0<\/em><\/p>\n

McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks.<\/p>\n

Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them.<\/p>\n

The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15\u201317.<\/p>\n

\"\"<\/a><\/p>\n

Background<\/strong><\/h2>\n

\"\"<\/a><\/p>\n

On January 15, Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor.<\/a> The Korean-language Word document manual.doc appeared in Vietnam on January 17, with the original author name of Honeybee.<\/p>\n

\"\"<\/a><\/p>\n

Document properties.<\/em><\/p>\n

This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON, which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea\u2013related topics. The malicious Visual Basic script uses a unique key (custom alphabet) to encode data. We have seen this in previous operations using SYSCON. This key was also used in the Honeybee campaign and appears to have been used since August 2017.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Examples of decoy documents.<\/em><\/p>\n

Several additional documents surfaced between January 17 and February 3. All contain the same Visual Basic macro code and author name as Honeybee. Some of the malicious documents were test files without the implant. From our analysis, most these documents were submitted from South Korea, indicating that some of the targeting was in South Korea. These Honeybee documents did not contain any specific lures, rather variations of a \u201cnot compatible\u201d message attempting to convince the user to enable content.<\/p>\n

We also observed a related malicious document created January 12 by the author Windows User that contained a different encoding key, but essentially used the same macro and same type of implant as we saw with the recent Honeybee documents. This document, \u201cInternational Federation of Red Cross and Red Crescent Societies \u2013 DPRK Country Office,\u201d drops an implant with the control server address 1113427185.ifastnet.org, which resolves to the same server used by the implants dropped in the Honeybee case.<\/p>\n

\"\"<\/a><\/p>\n

The directory contents of control server 1113427185.ifastnet.org.<\/em><\/p>\n

\"\"<\/a><\/p>\n

The directory contents of ftp.byethost11.com, from Honeybee samples.<\/em><\/p>\n

\u00a0\"\"<\/a><\/strong><\/p>\n

Log files of compromised machines from February 2018 Honeybee samples.<\/em><\/p>\n

MaoCheng Dropper<\/strong><\/h3>\n

Aside from finding the malicious documents, the Advanced Threat Research team discovered a Win32-based executable dropper. This dropper uses a stolen digital signature from Adobe Systems. This certificate is also used by another Korean-language malware compiled January 16 (hash: 35904f482d37f5ce6034d6042bae207418e450f4) with an interesting program database (PDB) path.<\/p>\n

D:\\Task\\DDE Attack\\MaoCheng\\Release\\Dropper.pdb<\/p>\n

The malware is a Win32 executable that pretends to be a Word document based on its icon. This is a dropper for the same type of malware as observed with the other Word documents. This sample also dropped a decoy document with the author name Honeybee. This sample, however, contained a bug that interfered with the execution flow of the dropper, suggesting that the authors did not test the malware after code signing it.<\/p>\n

\"\"<\/a><\/p>\n

The decoy document uses the cloud-based accounting software company Xero as a lure:<\/p>\n

\"\"<\/a><\/p>\n

A decoy document from MaoCheng dropper. <\/em><\/p>\n

Possible Operator <\/strong><\/h2>\n

The Advanced Threat Research team has identified the following persona (snoopykiller@mail.ru) tied to this recent operation. Based on our analysis, the actor registered two free hosting accounts: navermail.byethost3.com, which refers to the popular South Korean search engine, and nihon.byethost11.com. The email address was used to register a free account for a control server in all the implants described in our analysis.\u00a0<\/strong><\/p>\n

Technical Analysis<\/strong><\/h2>\n

Let\u2019s start with an overview of the attack:<\/p>\n

\"\"<\/a><\/p>\n

We continue with the components involved in this operation.<\/p>\n

\"\"<\/a><\/p>\n

The malicious Word file is the beginning of the infection chain and acts as a dropper for two DLL files. The Word file contains malicious Visual Basic macro code that runs when the document is opened in Word using the Document_Open() autoload function. The word file also contains a Base64-encoded file (encoded with a custom key) in it that is read, decoded, and dropped to the disk by the macro.<\/p>\n

\"\"<\/a><\/p>\n

The Document_Open() subroutine implementing the malicious functionality.<\/em><\/p>\n

The Visual Basic macro performs the following tasks:<\/p>\n