Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.[1][2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Higaisa used HTTP and HTTPS to send data back to its C2 server.[1][2] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Higaisa added a spoofed binary to the start-up folder for persistence.[1][2] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
.005 | Command and Scripting Interpreter: Visual Basic | |||
.007 | Command and Scripting Interpreter: JavaScript |
Higaisa used JavaScript to execute additional files.[1][2][3] |
||
Enterprise | T1001 | .003 | Data Obfuscation: Protocol or Service Impersonation | |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.[1][2] |
|
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
Enterprise | T1041 | Exfiltration Over C2 Channel | ||
Enterprise | T1203 | Exploitation for Client Execution | ||
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window | |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Higaisa named a shellcode loader binary |
Enterprise | T1106 | Native API | ||
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Higaisa performed padding with null bytes before calculating its hash.[2] |
.013 | Obfuscated Files or Information: Encrypted/Encoded File | |||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Higaisa has sent spearphishing emails containing malicious attachments.[1][2] |
Enterprise | T1057 | Process Discovery |
Higaisa’s shellcode attempted to find the process ID of the current process.[2] |
|
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Higaisa discovered system proxy settings and used them if available.[2] |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Higaisa dropped and added |
Enterprise | T1029 | Scheduled Transfer |
Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.[3] |
|
Enterprise | T1082 | System Information Discovery |
Higaisa collected the system volume serial number, GUID, and computer name.[3][1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Higaisa used |
|
Enterprise | T1124 | System Time Discovery | ||
Enterprise | T1204 | .002 | User Execution: Malicious File |
Higaisa used malicious e-mail attachments to lure victims into executing LNK files.[1][2] |
Enterprise | T1220 | XSL Script Processing |