Skip to content

G0126 Higaisa

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.123

Item Value
ID G0126
Associated Names
Version 1.0
Created 05 March 2021
Last Modified 22 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Higaisa used HTTP and HTTPS to send data back to its C2 server.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Higaisa added a spoofed binary to the start-up folder for persistence.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Higaisa used cmd.exe for execution.123
enterprise T1059.005 Visual Basic Higaisa has used VBScript code on the victim’s machine.3
enterprise T1059.007 JavaScript Higaisa used JavaScript to execute additional files.123
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation Higaisa used a FakeTLS session for C2 communications.2
enterprise T1140 Deobfuscate/Decode Files or Information Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.12
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Higaisa used AES-128 to encrypt C2 traffic.2
enterprise T1041 Exfiltration Over C2 Channel Higaisa exfiltrated data over its C2 channel.2
enterprise T1203 Exploitation for Client Execution Higaisa has exploited CVE-2018-0798 for execution.3
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Higaisa used a payload that creates a hidden window.3
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library.3
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe.12
enterprise T1106 Native API Higaisa has called various native OS APIs.2
enterprise T1027 Obfuscated Files or Information Higaisa used Base64 encoded compressed payloads.12
enterprise T1027.001 Binary Padding Higaisa performed padding with null bytes before calculating its hash.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Higaisa has sent spearphishing emails containing malicious attachments.12
enterprise T1057 Process Discovery Higaisa’s shellcode attempted to find the process ID of the current process.2
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Higaisa discovered system proxy settings and used them if available.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Higaisa dropped and added officeupdate.exe to scheduled tasks.12
enterprise T1029 Scheduled Transfer Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.3
enterprise T1082 System Information Discovery Higaisa collected the system volume serial number, GUID, and computer name.31
enterprise T1016 System Network Configuration Discovery Higaisa used ipconfig to gather network configuration information.12
enterprise T1124 System Time Discovery Higaisa used a function to gather the current time.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Higaisa used malicious e-mail attachments to lure victims into executing LNK files.12
enterprise T1220 XSL Script Processing Higaisa used an XSL file to run VBScript code.3

Software

ID Name References Techniques
S0160 certutil 13 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0032 gh0st RAT 1 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0013 PlugX 1 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service

References

  1. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  2. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  3. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.