Skip to content

C0012 Operation CuckooBees

Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.1

Item Value
ID C0012
Associated Names
First Seen December 2019
Last Seen May 2022
Version 1.1
Created 22 September 2022
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account During Operation CuckooBees, the threat actors used the net user command to gather account information.1
enterprise T1087.002 Domain Account During Operation CuckooBees, the threat actors used the dsquery and dsget commands to get domain environment information and to query users in administrative groups.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols During Operation CuckooBees, the threat actors enabled HTTP and HTTPS listeners.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.006 Kernel Modules and Extensions During Operation CuckooBees, attackers used a signed kernel rootkit to establish additional persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell During Operation CuckooBees, the threat actors used batch scripts to perform reconnaissance.1
enterprise T1059.005 Visual Basic During Operation CuckooBees, the threat actors executed an encoded VBScript file using wscript and wrote the decoded output to a text file.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service During Operation CuckooBees, the threat actors modified the IKEEXT and PrintNotify Windows services for persistence.1
enterprise T1005 Data from Local System During Operation CuckooBees, the threat actors collected data, files, and other information from compromised networks.1
enterprise T1190 Exploit Public-Facing Application During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers.1
enterprise T1133 External Remote Services During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: cscript //nologo "C:\Windows\System32\winrm.vbs" set winrm/config/service@{EnableCompatibilityHttpsListener="true"}.1
enterprise T1083 File and Directory Discovery During Operation CuckooBees, the threat actors used dir c:\\ to search for files.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading During Operation CuckooBees, the threat actors used the legitimate Windows services IKEEXT and PrintNotify to side-load malicious DLLs.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location During Operation CuckooBees, the threat actors renamed a malicious executable to rundll32.exe to allow it to blend in with other Windows system files.1
enterprise T1135 Network Share Discovery During Operation CuckooBees, the threat actors used the net share command as part of their advanced reconnaissance.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation During Operation CuckooBees, the threat actors executed an encoded VBScript file.1
enterprise T1027.011 Fileless Storage During Operation CuckooBees, the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool For Operation CuckooBees, the threat actors obtained publicly-available JSP code that was used to deploy a webshell onto a compromised server.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager During Operation CuckooBees, the threat actors leveraged a custom tool to dump OS credentials and used following commands: reg save HKLM\\SYSTEM system.hiv, reg save HKLM\\SAM sam.hiv, and reg save HKLM\\SECURITY security.hiv, to dump SAM, SYSTEM and SECURITY hives.1
enterprise T1201 Password Policy Discovery During Operation CuckooBees, the threat actors used the net accounts command as part of their advanced reconnaissance.1
enterprise T1120 Peripheral Device Discovery During Operation CuckooBees, the threat actors used the fsutil fsinfo drives command as part of their advanced reconnaissance.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups During Operation CuckooBees, the threat actors used the net group command as part of their advanced reconnaissance.1
enterprise T1057 Process Discovery During Operation CuckooBees, the threat actors used the tasklist command as part of their advanced reconnaissance.1
enterprise T1018 Remote System Discovery During Operation CuckooBees, the threat actors used the net view and ping commands as part of their advanced reconnaissance.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task During Operation CuckooBees, the threat actors used scheduled tasks to execute batch scripts for lateral movement with the following command: SCHTASKS /Create /S <IP Address> /U <Username> /p <Password> /SC ONCE /TN test /TR <Path to a Batch File> /ST <Time> /RU SYSTEM.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell During Operation CuckooBees, the threat actors generated a web shell within a vulnerable Enterprise Resource Planning Web Application Server as a persistence mechanism.1
enterprise T1082 System Information Discovery During Operation CuckooBees, the threat actors used the systeminfo command to gather details about a compromised system.1
enterprise T1016 System Network Configuration Discovery During Operation CuckooBees, the threat actors used ipconfig, nbtstat, tracert, route print, and cat /etc/hosts commands.1
enterprise T1049 System Network Connections Discovery During Operation CuckooBees, the threat actors used the net session, net use, and netstat commands as part of their advanced reconnaissance.1
enterprise T1033 System Owner/User Discovery During Operation CuckooBees, the threat actors used the query user and whoami commands as part of their advanced reconnaissance.1
enterprise T1007 System Service Discovery During Operation CuckooBees, the threat actors used the net start command as part of their initial reconnaissance.1
enterprise T1124 System Time Discovery During Operation CuckooBees, the threat actors used the net time command as part of their advanced reconnaissance.1
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts During Operation CuckooBees, the threat actors used compromised domain administrator credentials as part of their lateral movement.1

Software

ID Name Description
S0105 dsquery 1

References

  1. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.