Hacking operation uses malicious Word documents to target aid organisations

Attacks have targeted organisations around the world with modified malware which aims to install backdoors on systems.
Written by Danny Palmer, Senior Writer

A newly uncovered 'nation-state level' cyber espionage operation has targeted humanitarian aid organisations around the globe via the use of backdoors hidden within malicious Word documents.

Dubbed Operation Honeybee based on the name of lure documents used during the attacks, the campaign has been discovered by security researchers at security company McAfee Labs after a new variant of the Syscon backdoor malware was spotted being distributed via phishing emails.

The malware - which appears to use a modified version of the original Syscon first observed in August - can be used to create a backdoor into the infected system, which can then be used to spy on the PC and allow attackers to steal data.

Syscon uses an FTP server for command-and-control purposes and was previously seen being used in other campaigns also related to North Korea related topics. This particular campaign begun in January and some instances of the malware are being distributed in a Word document which details the author name as 'Honeybee'.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

The malicious document contains a Visual Basic macro which when enabled, distributed Syscon, which has been active as a malware family since August 2017. The malicious intent is hidden within encoded data in a Visual Basic Script.

In one instance, a malicious document was distributed with the subject "International Federation of Red Cross and Red Crescent Societies - DPRK Country Office," which if opened, drops the backdoor implants.


Lure document used in Honeybee campaigns,

Image: McAfee

Meanwhile, other Honeybee lures remain more generic, simply telling the victim they need to 'enable content' to open the document - a cheap trick used in many malware campaigns to encourage victims to enable macros, thus allowing the malware to run.

See also: The future of cyberwar: Weaponised ransomware, IoT attacks and a new arms race

"The malware is designed to gather information on the target's system which may be used for espionage purposes," Ryan Sherstobitoff, senior analyst - major campaigns at McAfee Advanced Threat Research told ZDNet.

In addition to the malware itself, Operation Honeybee also comes equipped with a Win32-based executable dropper - named MaoCheng in the code. This too pretends to be a Word document but uses a stolen digital signature from Adobe Systems.

The purpose of this is to allow the whole process of compromise to be carried out more smoothly - and it appears that the MaoCheng Dropper has been created specifically for this campaign.

"This is an attempt to bypass the trust mechanisms in Windows to allow the code to execute unblocked," said Sherstobitoff.

Researchers say the tactics used by Honeybee have previously been seen being deployed in South Korea, but now the threat actor is widening the scope of its attacks, targeting humanitarian aid organisations in countries including Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada.

Download now: Intrusion detection policy (free PDF)

McAfee hasn't attributed the Operation Honeybee cyber attacks to any specific threat actor - only noting that those behind it speak Korean. However, they do say that the campaign points towards being the work of a nation-state.

"Based on the sophistication, speed to deployment and other characteristics, this has the hallmarks of a nation state," said Sherstobitoff, who also said Operation Honeybee could "potentially" be related to the recent Sun Team attacks.

The Sun Team hacking operation targeted North Korean defectors, along with aid groups and individuals trying to help them.


Editorial standards