Honeybee

Honeybee is a threat actor, an entity that executes actions with malicious intent, which has been active since at least August 2017. The actor has been observed to use specific encoding keys and macros in their operations, with the first known version of the NTWDBLIB installer appearing in November 2017. The Honeybee campaign employs a unique approach where documents do not contain specific lures; instead, they display variations of a “not compatible” message attempting to convince the user to enable content. The documents also drop decoy documents with the author name Honeybee. The Honeybee threat actor was linked to a significant event involving a malicious document created on January 12 by the author "Windows User". This document contained a different encoding key but used the same macro and implant type as seen in recent Honeybee documents. Another notable incident involved a Korean-language Word document titled "manual.doc" that surfaced in Vietnam on January 17, with the original author name of Honeybee. Log files from compromised machines have been traced back to Honeybee samples dating February 2018. In one instance, a document titled “International Federation of Red Cross and Red Crescent Societies – DPRK Country Office,” dropped an implant with the control server address 1113427185.ifastnet.org. This server address resolves to the same server used by the implants dropped in the Honeybee case. It's important to note that despite the similar names, there is no connection between the Honeybee threat actor and legitimate entities such as Continental Traffic Service Inc.'s Honeybee TMS or the John Newman Honeybee Company.