Bleeping Computer: They donate $20,000 to Children International and The Water Project. But money comes from ransomware criminal activity, and the organizations won’t keep it.
The operation Honeybee is a cyber malicious campaign against humanitarian aid organizations in Korean Peninsula
It’s called operation Honeybee and is a cyber malicious campaign that targeted humanitarian aid organizations. It has been discovered by cybersecurity experts of McAfee. The lure are North Korean political topics and the vector of attacks fake Microsoft Word documents. Moreover, these documents, “authored by the same actor that indicate a tactical shift, do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them”, McAfee Blog stated. The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17. On January 15, Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor. The Korean-language Word document manual.doc appeared in Vietnam 2 days later with the original author name of Honeybee. More documents surfaced between January 17 and February 3. All contain the same Visual Basic macro code and author name.
The hacker behind the cyber attacks is likely a Korean speaker. He targeted not only South Korea, but abroad too
McAfee has identified “firstname.lastname@example.org” tied to Honeybee operation. The actor registered two free hosting accounts: navermail.byethost3.com, which refers to the popular South Korean search engine, and nihon.byethost11.com. The email address was used to register a free account for a control server in all the implants described in cybersecurity experts analysis. Based on different elements, the author of the cyber attacks is likely a Korean speaker and he targeted those involved in humanitarian aid and inter-Korean affairs. But his operations expanded beyond Korea Peninsula borders, arriving in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. His malicious code is based on previous versions of the SYSCON backdoor. Some new droppers have not been observed before in the wild and the MaoCheng dropper was apparently created specifically for this operation (appeared just twice in the wild).