Description
[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://attack.mitre.org/groups/G0126) was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)
Techniques Used (TTPs)
- T1059.005 — Visual Basic (execution)
- T1106 — Native API (execution)
- T1041 — Exfiltration Over C2 Channel (exfiltration)
- T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
- T1124 — System Time Discovery (discovery)
- T1090.001 — Internal Proxy (command-and-control)
- T1204.002 — Malicious File (execution)
- T1027.013 — Encrypted/Encoded File (defense-evasion)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1082 — System Information Discovery (discovery)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1071.001 — Web Protocols (command-and-control)
- T1001.003 — Protocol or Service Impersonation (command-and-control)
- T1203 — Exploitation for Client Execution (execution)
- T1029 — Scheduled Transfer (exfiltration)
- T1059.007 — JavaScript (execution)
- T1027.001 — Binary Padding (defense-evasion)
- T1027.015 — Compression (defense-evasion)
- T1220 — XSL Script Processing (defense-evasion)
- T1564.003 — Hidden Window (defense-evasion)
- T1573.001 — Symmetric Cryptography (command-and-control)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1057 — Process Discovery (discovery)
- T1036.004 — Masquerade Task or Service (defense-evasion)
- T1016 — System Network Configuration Discovery (discovery)
- T1059.003 — Windows Command Shell (execution)
- T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
Total TTPs: 27