Higaisa APT

Higaisa APT Description

The Higaisa APT (Advanced Persistent Threat) is a hacking group, which likely originates from the Korean Peninsula. The Higaisa hacking group was first studied extensively in 2019. However, malware analysts believe that the Higaisa APT first began operating in 2016 but has managed to avoid attracting the attention of experts in the field of cybersecurity until 2019. The Higaisa APT appears to utilize both custom-made hacking tools, as well as popular publicly available threats like the PlugX RAT (Remote Access Trojan) and the Gh0st RAT.

The Higaisa hacking group tends to mainly rely on spear-phishing email campaigns to distribute malware. According to security researchers, in one of the latest operations of the Higaisa APT, the infection vector utilized was malicious .LNK files. The .LNK files from their latest campaign were masked as harmless files such as exam results, CVs, job offers, etc. Earlier this year, the Higaisa hacking group used COVID-19-themed emails to propagate corrupted .LNK files to their targets.

If the user is tricked by the Higaisa APT and opens the corrupted file, they may not notice anything out of the ordinary. This is because this hacking group uses decoy files that will keep the attention of the user and prevent them from noticing that their system has been breached. The malicious .LNK file has a list of commands, which it will execute silently in the background. The command list will allow the threat to:

  • Plant its files in the %APPDATA% directory on the compromised host.
  • Decrypt and decompress the data from the LNK file.
  • Plant a JavaScript file in the 'Downloads' folder of the infected system and then execute it.

Next, the JavaScript file will make sure that it runs a set of commands, which would allow the attackers to obtain data regarding the infected host and its network settings. Next, one of the files, which were unpacked from the malicious .LNK file will be executed. The JavaScript file in question would also make sure the threat gains persistence on the host so that it would be executed upon reboot.

To protect your system from cyber attacks, it is advisable to invest in a reputable, modern antivi-rus application.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.