CyberWisdom Safe Harbor Commentary on Operation Honeybee
Dubbed Operation Honeybee used during the attack, the activity was discovered by security researchers at McAfee Labs, a security company, who found that a new variant of the Syscon backdoor malware was being distributed via phishing mail.
Malware appears to use a modified version of the original Syscon observed in August – it can be used to create a backdoor in an infected system, which can then be used to spy on PCs and allow attackers to steal data.
Syscon uses an FTP server for command and control and was previously used for other activities related to North Korea’s related topics. This special event, started in January, along with some examples of malware, is being distributed in a Word document that details the author’s name as “Honeybee.”
Malicious documents contain a Visual Basic macro that, when enabled, distributed Syscon has been running as a malware family since August 2017. Malicious purposes are hidden in the encoded data in Visual Basic.
Once, the theme of the malicious document was “The International Federation of Red Cross and Red Crescent Societies – North Korea’s National Office,” which, if opened, will abandon the backdoor implant.
At the same time, other bees are still more tempted to tell the victims they need to “turn on content” to open documents – a cheap trick used in many malware activities to encourage victims to turn on macros to allow Malware runs. “Malicious software is designed to collect information that may be used for espionage on a target system,” Ryan Sherstobitoff, senior analyst at McAfee Advanced Threat Research, told ZDNet.
In addition to the malware itself, Operation Honeybee is also equipped with a Win32-based executable interceptor – named MaoCheng in the code. It also pretended to be a Word document but using stolen digital signatures from Adobe Systems.
The aim is to make the entire compromise process proceed more smoothly – it seems that the Mao Cheng pitcher was created specifically for the sport.
“This is an attempt to bypass the trust mechanism in Windows to allow code execution to be unobstructed,” Sherstobitoff said.
Researchers said the bee’s previously used strategy has been deployed in South Korea, but now the threat actors are expanding their attacks on humanitarian aid organizations in countries such as Vietnam, Singapore, Argentina, Japan, Indonesia and Canada.
McAfee did not attribute Operation Honeybee cyber attacks to any particular threat actor – just noticed that the people behind it would speak Korean. However, they did say that the movement points to the work of a nation-state.
Sherstobitoff said: “This is a sign of a nation-state based on complexity, the speed of deployment and other features.” He also said bee actions may be “potentially” associated with recent Sun team attacks.
Sun team hacking action targeted North Korean defectors, as well as aid groups and individuals trying to help them.
Topic: 2017: The Year’s Best Tech for Work and Play That’s when Microsoft officially ended the Get Windows 10 program and, to the relief of many, stopped forcing the GWX tool onto the PCs of unsuspecting users who were perfectly happy with their current version of Windows and had no desire to upgrade. Update (Nov 3 2017): Microsoft quietly announces end of last free Windows 10 upgrades As of July 30, 2016, the upgrade notifications stopped and the GWX app began disappearing. In theory, that means the only way to get a Windows 10 upgrade is to pay for it. The funny thing is, no one told the folks who run Microsoft’s activation servers. Which means today, nearly 18 months after the free upgrade offer supposedly ended, you can still upgrade to Windows 10 from Windows 7 or Windows 8.1 and claim a free digital entitlement, without being forced to jump through any hoops. You can also still upgrade Windows 10 Home to Windows 10 Pro by using a product key from a previous business edition of Windows 7, 8, or 8.1 (Pro/Ultimate). Engaging post, Read More…
thumbnail courtesy of zdnet.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »