Skip to content

G0072 Honeybee

Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. 1

Item Value
ID G0072
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 23 July 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.002 File Transfer Protocols Honeybee uses FTP for command and control.1
enterprise T1560 Archive Collected Data Honeybee adds collected files to a file saved in the %temp% folder, then base64 encodes it and uploads it to control server.1
enterprise T1020 Automated Exfiltration Honeybee performs data exfiltration is accomplished through the following command-line command: from (- --).txt.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Several commands are supported by the Honeybee‘s implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.1 Honeybee used batch scripting.1
enterprise T1059.005 Visual Basic Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL.1
enterprise T1005 Data from Local System Honeybee collects data from the local victim system.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Honeybee adds collected files to a file saved in the %temp% folder, then base64 encodes it and uploads it to control server.1
enterprise T1140 Deobfuscate/Decode Files or Information Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.009 AppCert DLLs Honeybee‘s service-based DLL implant can execute a downloaded file with parameters specified using CreateProcessAsUser.1
enterprise T1083 File and Directory Discovery Honeybee‘s service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.1
enterprise T1112 Modify Registry Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.1
enterprise T1027 Obfuscated Files or Information Honeybee drops files with base64-encoded data.1
enterprise T1057 Process Discovery Honeybee gathers a list of processes using the tasklist command and then is sent back to the control server.1
enterprise T1055 Process Injection Honeybee uses a batch file to load a DLL into the svchost.exe process.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.1
enterprise T1082 System Information Discovery Honeybee gathers computer name and information using the systeminfo command.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Honeybee launches a DLL file that gets executed as a service using svchost.exe1


ID Name References Techniques
S0106 cmd - Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal on Host Ingress Tool Transfer Lateral Tool Transfer System Information Discovery
S0075 Reg - Modify Registry Query Registry Credentials in Registry:Unsecured Credentials
S0096 Systeminfo - System Information Discovery
S0057 Tasklist - Process Discovery Security Software Discovery:Software Discovery System Service Discovery


Back to top