Higaisa
Associated Group Descriptions |
|
Name | Description |
---|---|
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Higaisa used HTTP and HTTPS to send data back to its C2 server.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Higaisa added a spoofed binary to the start-up folder for persistence.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Higaisa used |
.005 | Command and Scripting Interpreter: Visual Basic |
Higaisa has used VBScript code on the victim's machine.(Citation: PTSecurity Higaisa 2020) |
||
.007 | Command and Scripting Interpreter: JavaScript |
Higaisa used JavaScript to execute additional files.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020) |
||
Enterprise | T1001 | .003 | Data Obfuscation: Protocol or Service Impersonation |
Higaisa used a FakeTLS session for C2 communications.(Citation: Zscaler Higaisa 2020) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Higaisa used AES-128 to encrypt C2 traffic.(Citation: Zscaler Higaisa 2020) |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Higaisa used a payload that creates a hidden window.(Citation: PTSecurity Higaisa 2020) |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Higaisa named a shellcode loader binary |
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Higaisa performed padding with null bytes before calculating its hash.(Citation: Zscaler Higaisa 2020) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Higaisa used Base64 encoded compressed payloads.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Higaisa has sent spearphishing emails containing malicious attachments.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) |
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Higaisa discovered system proxy settings and used them if available.(Citation: Zscaler Higaisa 2020) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Higaisa dropped and added |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Higaisa used malicious e-mail attachments to lure victims into executing LNK files.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) |
References
- PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
- Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
- Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.