Higaisa APT
Higaisa is the name of an Advanced Persistent Threat (APT) actor whose activity was first described thoroughly in 2019. By researching the infrastructure and malware utilized by the threat actor, cybersecurity experts were able to determine that the group's activity is likely to originate from the Korean region, and they may have been acting in the cybercrime field since 2016. The criminals utilize a wide range of custom-built and public malware tools such as the Gh0st RAT and PlugX Remote Access Trojans (RATs).
The Higaisa APT hackers rely on spear-phishing emails to deliver threatening software to their targets. In one of its recent campaigns, the Higaisa APT relied on misleading email messages that contained 'LNK' files that were disguised as policy documents, CV files or exam results. In an earlier campaign, they used the same technique to deliver Coronavirus-themed documents that also had a harmful payload packed inside.
Decoy Files Attract the User's Attention While the Implant is Executed in the Background
If the targets of the Higaisa APT end up trying to view one of the nefarious documents, they will be presented with a decoy file that will take their attention away while the malware operates in the background. The LNK files contain a set of commands that will be executed in the background while the user is viewing the decoy document. Thanks to these commands, it will:
- Copy the file's contents to the %APPDATA% directory.
- Decode and unpack the payload embedded into the LNK file.
- Drop a JavaScript file into the 'Downloads' folder and execute it.
The JavaScript file will execute another set of commands that are meant to gather information about the victim's network configuration, and then execute one of the files that the LNK file unpacked. The JavaScript file also serves the purpose of creating a new scheduled task that will grant the payload persistence.
Controlled tests with the harmful implant delivered in the campaigns did not reveal much because the control server was offline – hence why it is difficult to tell what was the primary purpose of the attack.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.