Operation Beebus has been unmasked by FireEye, which said that the campaign is not new – it has in fact been in effect for some time now and has been targeting the military vertical “in waves.” And it's related to Operation Shady RAT, the company said.
The term "Beebus" was coined from an initial sample in this campaign, which was originally submitted to VirusTotal on April 12, 2011. Another related sample was submitted to VirusTotal on Sept. 23, 2011. Since then the activity has ebbed and flowed.
“There is no specific pattern to this attack, we have seen days on which multiple weaponized emails were sent to several companies, and on other days we observed that the threat actor sent only one email to a specific target organization,” said FireEye, in a blog.
The security firm believes that Beebus is being perpetrated by Chinese-based operators because of its similarities to Operation Shady RAT – an apparent state-sponsored APT that McAfee found to be behind information-stealing at least 70 organizations. McAfee’s Shady RAT allegations drew controversy and a congressional enquiry, but the forensics are what they are.
McAfee said that Shady RAT breached organizations using “obfuscated or encrypted HTML comments embedded in otherwise benign websites, in order to indirectly control compromised endpoints,” FireEye noted – a technique that’s associated with the hacking-for-proit group known as Comment Group or Comment Team, believed to be associated with the Chinese government. This is the same path taken by Beebus.
“Based upon these correlations, we believe Beebus to be yet another APT associated with threat actors based in China,” FireEye concluded.
Beebus is designed to steal information, and begins its infiltration, as so many attacks do, with spear-phishing emails.
“We have seen this campaign use both email and drive-by downloads as a means of infecting end users,” FireEye wrote in the blog post. “The threat actor has consistently used attachment names of documents/white papers released by well-known companies. The malicious email attachment exploits some common vulnerabilities in PDF and DOC files.”
The malware uses a well-documented vulnerability in the Windows OS known as DLL search order hijacking, which allows the malware to load DLLs on the Windows operating system. The malware encrypts information it collects with the base64 algorithm, and then communicates with a remote command and control (CnC) server.
It has modules to capture system information (processor, disk, memory, OS), process ID, process start time and current user information, FireEye found. It also contains a module to download and execute additional payloads and updates.