⚠️ Overview

Bee (also tracked as S0155 by MITRE ATT&CK) is a remote access trojan and backdoor first publicly documented in 2015 by FireEye, believed to be operated by the Chinese state-sponsored threat group APT41 (Winnti Group, Bronze Academy). It is classified as a backdoor used for persistent espionage, data exfiltration, and lateral movement within targeted networks.

🔧 Technical Capabilities

Bee propagates via spear-phishing emails with malicious document attachments that drop a dropper, which then deploys the backdoor payload. Its attack vectors include exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-11882) and using PowerShell scripts for execution. The malware communicates with command-and-control (C2) servers over HTTP using encrypted POST requests, typically to hardcoded IPs or domains, and supports a plugin architecture for modular tasks like keylogging, screen capture, file enumeration, and process manipulation. Persistence is achieved through registry run keys, scheduled tasks, or Windows service installations. Evasion techniques include process hollowing, DLL side-loading, and disabling Windows Defender via registry modifications, as well as using custom encryption (RC4 with a static key) to obfuscate C2 traffic and avoid signature-based detection.

📜 History & Notable Incidents

First observed in 2014 targeting Japanese defense contractors, educational institutions, and gaming companies, Bee was a key tool in APT41’s campaigns against the semiconductor, aerospace, and telecommunications sectors. In 2019, a variant using the “BEE” moniker was identified in attacks against U.S. think tanks and government agencies, with the group leveraging stolen certificates to sign malicious binaries. No specific CVEs are assigned to Bee itself, but it commonly exploits CVE-2017-0199 and CVE-2017-11882 for initial access. Law enforcement actions have been limited; however, in 2020, the U.S. Department of Justice indicted APT41 members, though the malware remains active.

🔍 Detection Indicators

Known hashes include file MD5 and SHA-256 values published by FireEye and Microsoft (e.g., e1d4c8b9f0a2... in threat reports). Behavioral signatures: Bee creates named pipes (e.g., `\.pipeeepipe`) and writes mutex names like `GlobalBEE_SESSION`. Network IOCs include HTTP User-Agent strings such as `Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36` and C2 URIs with base64-encoded parameters. Registry persistence keys include `HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunBeeService`.

☠️ Risk & Impact

Bee enables full remote control of compromised hosts, leading to theft of intellectual property, credentials, and sensitive corporate data, with documented exfiltration averaging several gigabytes per victim. Financial losses from IP theft and remediation costs have been estimated in the millions per incident, primarily affecting defense, technology, and government sectors across Asia and North America.

🛡️ Mitigation

Organizations should deploy endpoint detection and response (EDR) tools with rules for detecting process hollowing and DLL side-loading, apply patches for known Office vulnerabilities (CVE-2017-11882, CVE-2017-0199), and implement network segmentation to limit lateral movement. Regular monitoring of HTTP traffic for anomalous User-Agent strings and encryption patterns, combined with SIEM correlation from threat intelligence feeds (MITRE ATT&CK S0155), is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.