Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Higaisa
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Higaisa
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Higaisa

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)
ID: G0126
Associated Groups: 
Version: 1.0
Created: 05 Mar 2021
Last Modified: 22 Apr 2021

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Higaisa used HTTP and HTTPS to send data back to its C2 server.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Higaisa added a spoofed binary to the start-up folder for persistence.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Higaisa used cmd.exe for execution.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)
.005 Command and Scripting Interpreter: Visual Basic

Higaisa has used VBScript code on the victim's machine.(Citation: PTSecurity Higaisa 2020)

.007 Command and Scripting Interpreter: JavaScript

Higaisa used JavaScript to execute additional files.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)

Enterprise T1001 .003 Data Obfuscation: Protocol Impersonation

Higaisa used a FakeTLS session for C2 communications.(Citation: Zscaler Higaisa 2020)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Higaisa used AES-128 to encrypt C2 traffic.(Citation: Zscaler Higaisa 2020)
Enterprise T1564 .003 Hide Artifacts: Hidden Window

Higaisa used a payload that creates a hidden window.(Citation: PTSecurity Higaisa 2020)
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library.(Citation: PTSecurity Higaisa 2020)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Higaisa performed padding with null bytes before calculating its hash.(Citation: Zscaler Higaisa 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Higaisa has sent spearphishing emails containing malicious attachments.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)

Enterprise T1090 .001 Proxy: Internal Proxy

Higaisa discovered system proxy settings and used them if available.(Citation: Zscaler Higaisa 2020)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Higaisa dropped and added officeupdate.exe to scheduled tasks.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)
Enterprise T1204 .002 User Execution: Malicious File

Higaisa used malicious e-mail attachments to lure victims into executing LNK files.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)

Software
ID Name References Techniques
S0160 certutil (Citation: Malwarebytes Higaisa 2020) (Citation: PTSecurity Higaisa 2020) (Citation: TechNet Certutil) Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: Malwarebytes Higaisa 2020) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: Thoper) (Citation: TVT) Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye Hacking Team) (Citation: Malwarebytes Higaisa 2020) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) Shared Modules, Modify Registry, Ingress Tool Transfer, Process Injection, Rundll32, Service Execution, DLL Side-Loading, Command and Scripting Interpreter, Query Registry, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Non-Application Layer Protocol, Native API, Process Discovery, Windows Service, Registry Run Keys / Startup Folder, Clear Windows Event Logs, System Information Discovery, File Deletion, Screen Capture, Fast Flux DNS, Keylogging, Standard Encoding, Encrypted Channel

References

  1. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  2. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  3. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.