Check Point Threat Alert: AAEH/Beebone



AAEH, also known as BeeBone, is a family of polymorphic downloaders created with the primary purpose of downloading other malware, including password stealers, rootkits, fake antivirus, and ransomware. AAEH is often propagated across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files. Other aliases include VObfus, VBObfus, and Changeup. The polymorphic malware has the ability to change its form with every infection. Once installed, it morphs every few hours and rapidly spreads across the network. More than two million unique samples have been detected. AAEH/Beebone has been used to download other malware families, such as Zeus, Cryptolocker, Necrus, and ZeroAccess rootkits and Cutwail Spambots.


A system infected with AAEH /Beebone may be employed to distribute malicious software, harvest users’ credentials for online services (including banking services), and extort money from users by encrypting key files and then demanding payment to return the files to a readable state. AAEH /Beebone is capable of defeating antivirus products by blocking connections to IP addresses associated with Internet security companies and by preventing antivirus tools from running on infected machines.




On April 8, 2015, a joint operation between Europol, the Dutch authorities and the FBI targeted the AAEH/Beebone botnet to take it down. The botnet was ‘sinkholed’ by registering, suspending or seizing all domain names with which the malware could communicate and then redirect traffic.




Check Point Anti-Bot blade includes relevant signatures and indicators under the name Beebone. These signatures and indicators were first introduced in October 2013. If Check Point customers see logs of the botnet’s communication, note that the botnet is not functioning and its domains are down.


However, as this malware prevents the infected host from communicating with security vendors’ web sites, we highly recommend removal of the implants from infected machines. Several remediation tools are available on Shadowserver.



US-CERT technical alert TA15-098A: