Higaisa

Introduction

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009. Malwarebytes Higaisa 2020 Zscaler Higaisa 2020 PTSecurity Higaisa 2020

Activities and Tactics

Targeted Sectors: Government

Country of Origin: 🇰🇷 South Korea

Suspected Victims: China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

• T1059.005 Visual Basic
• T1106 Native API
• T1041 Exfiltration Over C2 Channel
• T1574.001 DLL
• T1124 System Time Discovery
• T1090.001 Internal Proxy
• T1204.002 Malicious File
• T1027.013 Encrypted/Encoded File
• T1053.005 Scheduled Task
• T1082 System Information Discovery
• T1566.001 Spearphishing Attachment
• T1071.001 Web Protocols
• T1001.003 Protocol or Service Impersonation
• T1203 Exploitation for Client Execution
• T1029 Scheduled Transfer
• T1059.007 JavaScript
• T1027.001 Binary Padding
• T1027.015 Compression
• T1220 XSL Script Processing
• T1564.003 Hidden Window
• T1573.001 Symmetric Cryptography
• T1680 Local Storage Discovery
• T1547.001 Registry Run Keys / Startup Folder
• T1057 Process Discovery
• T1036.004 Masquerade Task or Service
• T1016 System Network Configuration Discovery
• T1059.003 Windows Command Shell
• T1140 Deobfuscate/Decode Files or Information

ATT&CK technique IDs (denormalized)

• T1001.003
• T1016
• T1027.001
• T1027.013
• T1027.015
• T1029
• T1036.004
• T1041
• T1053.005
• T1057
• T1059.003
• T1059.005
• T1059.007
• T1071.001
• T1082
• T1090.001
• T1106
• T1124
• T1140
• T1203
• T1204.002
• T1220
• T1547.001
• T1564.003
• T1566.001
• T1573.001
• T1574.001
• T1680

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• MobileOrder
• China Chopper
• Brat

MITRE ATT&CK Software

• PlugX (S0013) — malware
• certutil (S0160) — tool
• gh0st RAT (S0032) — malware

Attribution and Evidence

Country of Origin: South Korea Additional attribution information pending cataloguing.

References

[1] mitre-attack [2] Malwarebytes Higaisa 2020 Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. [3] PTSecurity Higaisa 2020 PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. [4] Zscaler Higaisa 2020 Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.