Operation CuckooBees, Campaign C0012 | MITRE ATT&CK®

Operation CuckooBees

Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[1]

ID: C0012
First Seen:  December 2019 [1]
Last Seen:  May 2022 [1]
Contributors: Andrea Serrano Urea, Telefónica Tech
Version: 1.1
Created: 22 September 2022
Last Modified: 22 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

During Operation CuckooBees, the threat actors used the net user command to gather account information.[1]

.002 Account Discovery: Domain Account

During Operation CuckooBees, the threat actors used the dsquery and dsget commands to get domain environment information and to query users in administrative groups.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

During Operation CuckooBees, the threat actors enabled HTTP and HTTPS listeners.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.[1]

Enterprise T1547 .006 Boot or Logon Autostart Execution: Kernel Modules and Extensions

During Operation CuckooBees, attackers used a signed kernel rootkit to establish additional persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

During Operation CuckooBees, the threat actors used batch scripts to perform reconnaissance.[1]

.005 Command and Scripting Interpreter: Visual Basic

During Operation CuckooBees, the threat actors executed an encoded VBScript file using wscript and wrote the decoded output to a text file.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

During Operation CuckooBees, the threat actors modified the IKEEXT and PrintNotify Windows services for persistence.[1]

Enterprise T1005 Data from Local System

During Operation CuckooBees, the threat actors collected data, files, and other information from compromised networks.[1]

Enterprise T1190 Exploit Public-Facing Application

During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers.[1]

Enterprise T1133 External Remote Services

During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: cscript //nologo "C:\Windows\System32\winrm.vbs" set winrm/config/service@{EnableCompatibilityHttpsListener="true"}.[1]

Enterprise T1083 File and Directory Discovery

During Operation CuckooBees, the threat actors used dir c:\\ to search for files.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

During Operation CuckooBees, the threat actors used the legitimate Windows services IKEEXT and PrintNotify to side-load malicious DLLs.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

During Operation CuckooBees, the threat actors renamed a malicious executable to rundll32.exe to allow it to blend in with other Windows system files.[1]

Enterprise T1135 Network Share Discovery

During Operation CuckooBees, the threat actors used the net share command as part of their advanced reconnaissance.[1]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

During Operation CuckooBees, the threat actors executed an encoded VBScript file.[1]

.011 Obfuscated Files or Information: Fileless Storage

During Operation CuckooBees, the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

For Operation CuckooBees, the threat actors obtained publicly-available JSP code that was used to deploy a webshell onto a compromised server.[1]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

During Operation CuckooBees, the threat actors leveraged a custom tool to dump OS credentials and used following commands: reg save HKLM\\SYSTEM system.hiv, reg save HKLM\\SAM sam.hiv, and reg save HKLM\\SECURITY security.hiv, to dump SAM, SYSTEM and SECURITY hives.[1]

Enterprise T1201 Password Policy Discovery

During Operation CuckooBees, the threat actors used the net accounts command as part of their advanced reconnaissance.[1]

Enterprise T1120 Peripheral Device Discovery

During Operation CuckooBees, the threat actors used the fsutil fsinfo drives command as part of their advanced reconnaissance.[1]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

During Operation CuckooBees, the threat actors used the net group command as part of their advanced reconnaissance.[1]

Enterprise T1057 Process Discovery

During Operation CuckooBees, the threat actors used the tasklist command as part of their advanced reconnaissance.[1]

Enterprise T1018 Remote System Discovery

During Operation CuckooBees, the threat actors used the net view and ping commands as part of their advanced reconnaissance.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

During Operation CuckooBees, the threat actors used scheduled tasks to execute batch scripts for lateral movement with the following command: SCHTASKS /Create /S <IP Address> /U <Username> /p <Password> /SC ONCE /TN test /TR <Path to a Batch File> /ST <Time> /RU SYSTEM.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

During Operation CuckooBees, the threat actors generated a web shell within a vulnerable Enterprise Resource Planning Web Application Server as a persistence mechanism.[1]

Enterprise T1082 System Information Discovery

During Operation CuckooBees, the threat actors used the systeminfo command to gather details about a compromised system.[1]

Enterprise T1016 System Network Configuration Discovery

During Operation CuckooBees, the threat actors used ipconfig, nbtstat, tracert, route print, and cat /etc/hosts commands.[1]

Enterprise T1049 System Network Connections Discovery

During Operation CuckooBees, the threat actors used the net session, net use, and netstat commands as part of their advanced reconnaissance.[1]

Enterprise T1033 System Owner/User Discovery

During Operation CuckooBees, the threat actors used the query user and whoami commands as part of their advanced reconnaissance.[1]

Enterprise T1007 System Service Discovery

During Operation CuckooBees, the threat actors used the net start command as part of their initial reconnaissance.[1]

Enterprise T1124 System Time Discovery

During Operation CuckooBees, the threat actors used the net time command as part of their advanced reconnaissance.[1]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

During Operation CuckooBees, the threat actors used compromised domain administrator credentials as part of their lateral movement.[1]

Software

References