By Domesticus in Viruses

Threat Scorecard

Ranking: 2,763
Threat Level: 10 % (Normal)
Infected Computers: 2,920
First Seen: February 8, 2013
Last Seen: September 20, 2023
OS(es) Affected: Windows

Beebus is a dangerous malware infection that targets businesses in the crucial, high-security sectors defense and aerospace. ESG security researchers suspect that attacks involving Beebus originate in China, meaning that Beebus may, in fact, be part of a state-sponsored malware campaign. This would not be the first time malware has been used in espionage and conflicts between states. In fact, some of the most dangerous malware infections in recent years, Flame and Stuxnet, are thought to have been designed by the United States and Israel in order to attack high-profile targets in the Middle East.

How Beebus Infects Its Targets

Beebus uses a social engineering technique that has been gaining prominence due to its reliability and ability to focus on a specific target. Criminals use email messages specifically tailored to a target's characteristics in order to trick employees in the targeted company to open a malicious email attachment. These email attachments will often be in DOC or PDF format, two formats commonly used for innocuous email attachments and that are not normally associated with malware in the mainstream or by anti-malware scanners. However, there are vulnerabilities in Microsoft Office and Adobe Reader that allow criminals to use PDF or DOC files to execute malicious code on the victim's computer. Beebus is disseminated via 'drive-by downloads', which is a technique in which a malicious script is inserted into a normally harmless website so that it will direct visitors to an attack website in the background.

Using a known vulnerability in Windows, the malicious PDF or DOC file will cause an executable file to run which will, in turn, drop a malicious DLL file into the victim's system folder. This DLL file is named ntshrui.DLL and ensures that the Beebus remains on the victim's computer and starts up automatically when Windows starts up. Once installed, Beebus connects to a remote server. It collects data which is sent, encrypted (in order to prevent interception by PC security researchers) to its command and control server. Then, Beebus receives instructions from the remote location. Beebus can carry out various malicious tasks. Beebus can be used to spy on the victim's computer and to download and install additional malware (making this malware infection highly customizable). It is advisable for computer users related to the defense and aerospace industry to take steps to protect their computers from intrusion from this malware threat.


Beebus may call the following URLs:


Most Viewed