McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups
Contents
This post was written with contributions from Jessica Saavedra-Morales, Thomas Roccia, and Asheer Malhotra.
McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks.
Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them.
The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.
Background
On January 15, Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor. The Korean-language Word document manual.doc appeared in Vietnam on January 17, with the original …
McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks.
Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them.
The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.
Background
On January 15, Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor. The Korean-language Word document manual.doc appeared in Vietnam on January 17, with the original …
IoC
003e21b02be3248ff72cc2bfcd05bb161b6a2356
01530adb3f947fabebae5d9c04fb69f9000c3cef
0e4a7c0242b98723dc2b8cce1fbf1a43dd025cf0
19d9573f0b2c2100accd562cc82d57adb12a57ec
1d280a77595a2d2bbd36b9b5d958f99be20f8e06
1dc50bfcab2bc80587ac900c03e23afcbe243f64
25f4819e7948086d46df8de2eeeaa2b9ec6eca8c
35904f482d37f5ce6034d6042bae207418e450f4
35ab747c15c20da29a14e8b46c07c0448cef4999
4229896d61a5ad57ed5c247228606ce62c7032d0
4c7e975f95ebc47423923b855a7530af52977f57
5a6ad7a1c566204a92dd269312d1156d51e61dc4
66d2cea01b46c3353f4339a986a97b24ed89ee18
7113aaab61cacb6086c5531a453adf82ca7e7d03
85e2453b37602429596c9681a8c58a5c6faf8d0c
9b7c3c48bcef6330e3086de592b3223eb198744a
9b832dda912cce6b23da8abf3881fcf4d2b7ce09
9e2c0bd19a77d712055ccc0276fdc062e9351436
ftp.byethost31.com
ftp.byethost11.com
1113427185.ifastnet.org
navermail.byethost3.com
nihon.byethost3.com
bca861a46d60831a3101c50f80a6d626fa99bf16
d41daba0ebfa55d0c769ccfc03dbf6a5221e006a
e87de3747d7c12c1eea9e73d3c2fb085b5ae8b42
f3b62fea38cb44e15984d941445d24e6b309bc7b
f684e15dd2e84bac49ea9b89f9b2646dc32a2477
f90a2155ac492c3c2d5e1d83e384e1a734e59cc0
fe32d29fa16b1b71cd27b23a78ee9f6b7791bff3
[email protected]
01530adb3f947fabebae5d9c04fb69f9000c3cef
0e4a7c0242b98723dc2b8cce1fbf1a43dd025cf0
19d9573f0b2c2100accd562cc82d57adb12a57ec
1d280a77595a2d2bbd36b9b5d958f99be20f8e06
1dc50bfcab2bc80587ac900c03e23afcbe243f64
25f4819e7948086d46df8de2eeeaa2b9ec6eca8c
35904f482d37f5ce6034d6042bae207418e450f4
35ab747c15c20da29a14e8b46c07c0448cef4999
4229896d61a5ad57ed5c247228606ce62c7032d0
4c7e975f95ebc47423923b855a7530af52977f57
5a6ad7a1c566204a92dd269312d1156d51e61dc4
66d2cea01b46c3353f4339a986a97b24ed89ee18
7113aaab61cacb6086c5531a453adf82ca7e7d03
85e2453b37602429596c9681a8c58a5c6faf8d0c
9b7c3c48bcef6330e3086de592b3223eb198744a
9b832dda912cce6b23da8abf3881fcf4d2b7ce09
9e2c0bd19a77d712055ccc0276fdc062e9351436
ftp.byethost31.com
ftp.byethost11.com
1113427185.ifastnet.org
navermail.byethost3.com
nihon.byethost3.com
bca861a46d60831a3101c50f80a6d626fa99bf16
d41daba0ebfa55d0c769ccfc03dbf6a5221e006a
e87de3747d7c12c1eea9e73d3c2fb085b5ae8b42
f3b62fea38cb44e15984d941445d24e6b309bc7b
f684e15dd2e84bac49ea9b89f9b2646dc32a2477
f90a2155ac492c3c2d5e1d83e384e1a734e59cc0
fe32d29fa16b1b71cd27b23a78ee9f6b7791bff3
[email protected]