1. Home
  2. Groups
  3. Higaisa

Higaisa

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.[1][2][3]

ID: G0126
Contributors: Daniyal Naeem, BT Security
Version: 1.1
Created: 05 March 2021
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1220 XSL脚本处理

Higaisa used an XSL file to run VBScript code.[3]
Enterprise T1090 .001 代理: Internal Proxy

Higaisa discovered system proxy settings and used them if available.[2]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe.[1][2]

Enterprise T1573 .001 加密通道: Symmetric Cryptography

Higaisa used AES-128 to encrypt C2 traffic.[2]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library.[3]
Enterprise T1140 反混淆/解码文件或信息

Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.[1][2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Higaisa added a spoofed binary to the start-up folder for persistence.[1][2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Higaisa used cmd.exe for execution.[1][2][3]
.005 命令与脚本解释器: Visual Basic

Higaisa has used VBScript code on the victim's machine.[3]
.007 命令与脚本解释器: JavaScript

Higaisa used JavaScript to execute additional files.[1][2][3]
Enterprise T1203 客户端执行漏洞利用

Higaisa has exploited CVE-2018-0798 for execution.[3]
Enterprise T1071 .001 应用层协议: Web Protocols

Higaisa used HTTP and HTTPS to send data back to its C2 server.[1][2]
Enterprise T1001 .003 数据混淆: Protocol or Service Impersonation

Higaisa used a FakeTLS session for C2 communications.[2]
Enterprise T1106 本机API

Higaisa has called various native OS APIs.[2]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

Higaisa performed padding with null bytes before calculating its hash.[2]
.013 混淆文件或信息: Encrypted/Encoded File

Higaisa used Base64 encoded compressed payloads.[1][2]
Enterprise T1204 .002 用户执行: Malicious File

Higaisa used malicious e-mail attachments to lure victims into executing LNK files.[1][2]
Enterprise T1082 系统信息发现

Higaisa collected the system volume serial number, GUID, and computer name.[3][1]
Enterprise T1124 系统时间发现

Higaisa used a function to gather the current time.[2]
Enterprise T1016 系统网络配置发现

Higaisa used ipconfig to gather network configuration information.[1][2]
Enterprise T1057 进程发现

Higaisa’s shellcode attempted to find the process ID of the current process.[2]
Enterprise T1041 通过C2信道渗出

Higaisa exfiltrated data over its C2 channel.[2]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Higaisa has sent spearphishing emails containing malicious attachments.[1][2]

Enterprise T1564 .003 隐藏伪装: Hidden Window

Higaisa used a payload that creates a hidden window.[3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Higaisa dropped and added officeupdate.exe to scheduled tasks.[1][2]
Enterprise T1029 预定传输

Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.[3]

Software

ID Name References Techniques
S0160 certutil [1][3] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0032 gh0st RAT [1] 修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道, 动态解析: Fast Flux DNS, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 屏幕捕获, 数据编码: Standard Encoding, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 非应用层协议
S0013 PlugX [1] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议

References

  1. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  2. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  1. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.