Skip to content

G0126 Higaisa

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.132

Item Value
ID G0126
Associated Names
Version 1.2
Created 05 March 2021
Last Modified 22 October 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Higaisa used HTTP and HTTPS to send data back to its C2 server.13
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Higaisa added a spoofed binary to the start-up folder for persistence.13
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Higaisa used cmd.exe for execution.132
enterprise T1059.005 Visual Basic Higaisa has used VBScript code on the victim’s machine.2
enterprise T1059.007 JavaScript Higaisa used JavaScript to execute additional files.132
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol or Service Impersonation Higaisa used a FakeTLS session for C2 communications.3
enterprise T1140 Deobfuscate/Decode Files or Information Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.13
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Higaisa used AES-128 to encrypt C2 traffic.3
enterprise T1041 Exfiltration Over C2 Channel Higaisa exfiltrated data over its C2 channel.3
enterprise T1203 Exploitation for Client Execution Higaisa has exploited CVE-2018-0798 for execution.2
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Higaisa used a payload that creates a hidden window.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library.2
enterprise T1680 Local Storage Discovery Higaisa collected the system volume serial number.21
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe.13
enterprise T1106 Native API Higaisa has called various native OS APIs.3
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding Higaisa performed padding with null bytes before calculating its hash.3
enterprise T1027.013 Encrypted/Encoded File Higaisa used Base64 encoded compressed payloads.13
enterprise T1027.015 Compression Higaisa used Base64 encoded compressed payloads.13
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Higaisa has sent spearphishing emails containing malicious attachments.13
enterprise T1057 Process Discovery Higaisa’s shellcode attempted to find the process ID of the current process.3
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Higaisa discovered system proxy settings and used them if available.3
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Higaisa dropped and added officeupdate.exe to scheduled tasks.13
enterprise T1029 Scheduled Transfer Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.2
enterprise T1082 System Information Discovery Higaisa collected the system GUID and computer name.21
enterprise T1016 System Network Configuration Discovery Higaisa used ipconfig to gather network configuration information.13
enterprise T1124 System Time Discovery Higaisa used a function to gather the current time.3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Higaisa used malicious e-mail attachments to lure victims into executing LNK files.13
enterprise T1220 XSL Script Processing Higaisa used an XSL file to run VBScript code.2

Software

ID Name References Techniques
S0160 certutil 12 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0032 gh0st RAT 1 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0013 PlugX 1 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Local Data Staging:Data Staged Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts DLL:Hijack Execution Flow Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Local Storage Discovery Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Non-Standard Port Binary Padding:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Reflective Code Loading Replication Through Removable Media Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Location Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery MSBuild:Trusted Developer Utilities Proxy Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service

References

  1. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  2. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. 

  3. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.