Higaisa APT has been known since November 2019, when Tencent researchers first documented its activities. The group was discovered recently, but attackers have been operating for several years and use common tools to complicate the attribution. They mainly use mobile malware and the Gh0st and PlugX trojans. Researchers believe that Higaisa APT is a South Korean state-sponsored group that is focused on government officials and human rights organizations. 

Since mid-May, the group has been conducting spear-phishing campaigns distributed the LNK file bundled in an archive as malicious attachments. The targets in this campaign are organizations that use the Zeplin collaboration platform. The malicious archive contains two Microsoft shortcut files and a PDF, all of which reference the Zeplin platform. If the victim runs a shortcut file, a multistep infection chain that ultimately deployed a Gh0st RAT agent is initiated. 

The malware achieves persistence via a scheduled task while masquerading as a legitimate binary in the Windows startup folder. During the infection process, the malware communicates with three different C&C servers. The APT group carried out similar attacks in March using COVID19 themed phishing emails. This week our Threat Bounty Program members published two different rules for detecting attacks of Higaisa APT:

New LNK Attack Tied to Higaisa APT by Osman Demirhttps://tdm.socprime.com/tdm/info/DCrvR47zKW5q/lTrimHIBSh4W_EKG1R3C/

Higaisa APT by Ariel Millahuelhttps://tdm.socprime.com/tdm/info/zvxRI6qRESXI/ezrUmHIBSh4W_EKGlBXy/?p=1


The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Execution, Privilege Escalation, Persistence 

Techniques: Command-Line Interface (T1059), Registry Run Keys / Startup Folder (T1060), Scheduled Task (T1053


We also wish to draw your attention to the available rules to detect Gh0st RAT:

Gh0st RAT detector (Sysmon) by SOC Prime Team – https://tdm.socprime.com/tdm/info/w1HaVAlcSjde/2p3knmUBtApo-eN_hd_p/

Gh0stRAT Malware Detector (Sysmon Behavior) (July 2019) by Lee Archinalhttps://tdm.socprime.com/tdm/info/sEWWYnbKsZ4m/9zgZdmwBLQqskxffYLhQ/

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko