← threatfilter.dev / all groups / Higaisa
Higaisa
Overview
Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.
Targets
Government
Regions
China · Japan · Nepal · North Korea · Poland · Russia · Singapore · Switzerland
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
TTPs — 28 techniques across 7 tactics
Initial Access
-
T1566.001Spearphishing Attachment
Execution
-
T1053.005Scheduled Task -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1059.007JavaScript -
T1106Native API -
T1203Exploitation for Client Execution -
T1204.002Malicious File
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1027.001Binary Padding -
T1027.013Encrypted/Encoded File -
T1027.015Compression -
T1036.004Masquerade Task or Service -
T1140Deobfuscate/Decode Files or Information -
T1220XSL Script Processing -
T1564.003Hidden Window -
T1574.001DLL
Discovery
-
T1016System Network Configuration Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1124System Time Discovery -
T1680Local Storage Discovery
Command and Control
-
T1001.003Protocol or Service Impersonation -
T1071.001Web Protocols -
T1090.001Internal Proxy -
T1573.001Symmetric Cryptography
Exfiltration
-
T1029Scheduled Transfer -
T1041Exfiltration Over C2 Channel
Tools & malware (3)
PlugX · certutil · gh0st RAT
Reporting (3)
- The Return on the Higaisa APT — Singh, S. Singh, A
- New LNK attack tied to Higaisa APT discovered — Malwarebytes Threat Intelligence Team
- COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group — PT ESC Threat Intelligence