Honeybee
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.[1] |
| Enterprise | T1071 | .002 | Application Layer Protocol: File Transfer Protocols | |
| Enterprise | T1560 | Archive Collected Data |
Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1] |
|
| Enterprise | T1020 | Automated Exfiltration |
Honeybee performs data exfiltration is accomplished through the following command-line command: |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Several commands are supported by the Honeybee's implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.[1] Honeybee used batch scripting.[1] |
| .005 | Command and Scripting Interpreter: Visual Basic |
Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.[1] |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL.[1] |
| Enterprise | T1005 | Data from Local System | ||
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.[1] |
|
| Enterprise | T1546 | .009 | Event Triggered Execution: AppCert DLLs |
Honeybee's service-based DLL implant can execute a downloaded file with parameters specified using |
| Enterprise | T1083 | File and Directory Discovery |
Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.[1] |
| Enterprise | T1112 | Modify Registry |
Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information | ||
| Enterprise | T1057 | Process Discovery |
Honeybee gathers a list of processes using the |
|
| Enterprise | T1055 | Process Injection |
Honeybee uses a batch file to load a DLL into the svchost.exe process.[1] |
|
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.[1] |
| Enterprise | T1082 | System Information Discovery |
Honeybee gathers computer name and information using the |
|
| Enterprise | T1569 | .002 | System Services: Service Execution |
Honeybee launches a DLL file that gets executed as a service using svchost.exe[1] |