Higaisa

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.[1][2][3]

ID: G0126
Contributors: Daniyal Naeem, BT Security
Version: 1.0
Created: 05 March 2021
Last Modified: 22 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Higaisa used HTTP and HTTPS to send data back to its C2 server.[1][2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Higaisa added a spoofed binary to the start-up folder for persistence.[1][2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Higaisa used cmd.exe for execution.[1][2][3]

.005 Command and Scripting Interpreter: Visual Basic

Higaisa has used VBScript code on the victim's machine.[3]

.007 Command and Scripting Interpreter: JavaScript

Higaisa used JavaScript to execute additional files.[1][2][3]

Enterprise T1001 .003 Data Obfuscation: Protocol Impersonation

Higaisa used a FakeTLS session for C2 communications.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.[1][2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Higaisa used AES-128 to encrypt C2 traffic.[2]

Enterprise T1041 Exfiltration Over C2 Channel

Higaisa exfiltrated data over its C2 channel.[2]

Enterprise T1203 Exploitation for Client Execution

Higaisa has exploited CVE-2018-0798 for execution.[3]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Higaisa used a payload that creates a hidden window.[3]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library.[3]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe.[1][2]

Enterprise T1106 Native API

Higaisa has called various native OS APIs.[2]

Enterprise T1027 Obfuscated Files or Information

Higaisa used Base64 encoded compressed payloads.[1][2]

.001 Binary Padding

Higaisa performed padding with null bytes before calculating its hash.[2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Higaisa has sent spearphishing emails containing malicious attachments.[1][2]

Enterprise T1057 Process Discovery

Higaisa’s shellcode attempted to find the process ID of the current process.[2]

Enterprise T1090 .001 Proxy: Internal Proxy

Higaisa discovered system proxy settings and used them if available.[2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Higaisa dropped and added officeupdate.exe to scheduled tasks.[1][2]

Enterprise T1029 Scheduled Transfer

Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.[3]

Enterprise T1082 System Information Discovery

Higaisa collected the system volume serial number, GUID, and computer name.[3][1]

Enterprise T1016 System Network Configuration Discovery

Higaisa used ipconfig to gather network configuration information.[1][2]

Enterprise T1124 System Time Discovery

Higaisa used a function to gather the current time.[2]

Enterprise T1204 .002 User Execution: Malicious File

Higaisa used malicious e-mail attachments to lure victims into executing LNK files.[1][2]

Enterprise T1220 XSL Script Processing

Higaisa used an XSL file to run VBScript code.[3]

Software

ID Name References Techniques
S0160 certutil [1][3] Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0032 gh0st RAT [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0013 PlugX [1] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver

References