FireEye security researchers. Beebus is designed to steal information, and begins its infiltration, as so many attacks do, with spear-phishing emails.
Operation Beebus very related to Operation Shady RAT and was first detected in April 2011. The attacks carried out by spear phishing attack and drive-by downloads as a means of infecting end users. malicious Whitepapers or PDFs were mailed to targets and by using known flaws, malware was able install Trojan backdoors on vulnerable systems. The malware communicates with a remote command and control (CnC) server.
FireEye discovered the attacks on some of its customers in the aerospace and defence last March and the Vulnerability in the Windows OS known as DLL search order hijacking was used to drops a DLL called ntshrui.DLL in the C:\Windows directory.
It has modules to capture system information like processor, disk, memory, OS, process ID, process start time and current user information and another module to download and execute additional payloads and updates.
The original PDF was modified using the Ghostscript tool for making weaponized PDF. Researchers believes that Beebus is a Chinese campaign because of its similarities to Operation Shady RAT.
The Beebus attackers also used a TTP (tools, techniques, and procedures) identical to the RSA hack. Researchers believe that to group called "Comment Group" or "Comment Team," associated with the Chinese government is behind the Operation Beebus campaign.