McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups
2018-03-02 • Mcafee •
McAfee ATR identified Operation Honeybee as a malicious-document campaign targeting humanitarian aid organizations with North Korea-themed lures, later shifting to Word compatibility-message decoys submitted largely from South Korea. The documents used VBA macros with a custom alphabet to decode CAB files, drop SYSCON-related implants, and configure COMSysApp service persistence through DLLs loaded under svchost.exe, with UAC-bypass components such as cliconfg.exe. Related samples included a DPRK Red Cross-themed document and a signed Win32 dropper using an Adobe certificate, while infrastructure tied to the persona [email protected] included 1113427185.ifastnet.org and Byethost-hosted accounts. The report matters because it links shared author metadata, encoding keys, PDB paths, and C2 registration patterns across Honeybee and related SYSCON activity without requiring broader attribution than the source supports.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 25f4819e7948086d46df8de2eeeaa2b… | 2018-03-02 | 2018-03-02 |
| HASH | 85e2453b37602429596c9681a8c58a5… | 2018-03-02 | 2018-03-02 |
| HASH | 66d2cea01b46c3353f4339a986a97b2… | 2018-03-02 | 2018-03-02 |
| HASH | fe32d29fa16b1b71cd27b23a78ee9f6… | 2018-03-02 | 2018-03-02 |
| HASH | 5a6ad7a1c566204a92dd269312d1156… | 2018-03-02 | 2018-03-02 |
| HASH | 9e2c0bd19a77d712055ccc0276fdc06… | 2018-03-02 | 2018-03-02 |
| HASH | 4229896d61a5ad57ed5c247228606ce… | 2018-03-02 | 2018-03-02 |
| HASH | e87de3747d7c12c1eea9e73d3c2fb08… | 2018-03-02 | 2018-03-02 |
| HASH | 7113aaab61cacb6086c5531a453adf8… | 2018-03-02 | 2018-03-02 |
| HASH | bca861a46d60831a3101c50f80a6d62… | 2018-03-02 | 2018-03-02 |
| HASH | f684e15dd2e84bac49ea9b89f9b2646… | 2018-03-02 | 2018-03-02 |
| HASH | 19d9573f0b2c2100accd562cc82d57a… | 2018-03-02 | 2018-03-02 |
| HASH | f90a2155ac492c3c2d5e1d83e384e1a… | 2018-03-02 | 2018-03-02 |
| HASH | 9b7c3c48bcef6330e3086de592b3223… | 2018-03-02 | 2018-03-02 |
| HASH | 35ab747c15c20da29a14e8b46c07c04… | 2018-03-02 | 2018-03-02 |
| HASH | 1d280a77595a2d2bbd36b9b5d958f99… | 2018-03-02 | 2018-03-02 |
| HASH | 35904f482d37f5ce6034d6042bae207… | 2018-03-02 | 2018-03-02 |
| HASH | d41daba0ebfa55d0c769ccfc03dbf6a… | 2018-03-02 | 2018-03-02 |
| HASH | 003e21b02be3248ff72cc2bfcd05bb1… | 2018-03-02 | 2018-03-02 |
| HASH | f3b62fea38cb44e15984d941445d24e… | 2018-03-02 | 2018-03-02 |
| HASH | 0e4a7c0242b98723dc2b8cce1fbf1a4… | 2018-03-02 | 2018-03-02 |
| HASH | 4c7e975f95ebc47423923b855a7530a… | 2018-03-02 | 2018-03-02 |
| HASH | 01530adb3f947fabebae5d9c04fb69f… | 2018-03-02 | 2018-03-02 |
| HASH | 1dc50bfcab2bc80587ac900c03e23af… | 2018-03-02 | 2018-03-02 |
| HASH | 9b832dda912cce6b23da8abf3881fcf… | 2018-03-02 | 2018-03-02 |
| [email protected] | 2018-03-02 | 2018-03-02 | |
| DOMAIN | 1113427185.ifastnet.org | 2018-03-02 | 2018-03-02 |
| DOMAIN | nihon.byethost11.com | 2018-03-02 | 2018-03-02 |
| DOMAIN | ftp.byethost31.com | 2018-03-02 | 2018-03-02 |
| DOMAIN | navermail.byethost3.com | 2018-03-02 | 2018-03-02 |
| DOMAIN | nihon.byethost3.com | 2018-03-02 | 2018-03-02 |
| DOMAIN | ftp.byethost11.com | 2018-03-02 | 2018-03-02 |