Higaisa APT Description
The Higaisa APT (Advanced Persistent Threat) is a hacking group, which likely originates from the Korean Peninsula. The Higaisa hacking group was first studied extensively in 2019. However, malware analysts believe that the Higaisa APT first began operating in 2016 but has managed to avoid attracting the attention of experts in the field of cybersecurity until 2019. The Higaisa APT appears to utilize both custom-made hacking tools, as well as popular publicly available threats like the PlugX RAT (Remote Access Trojan) and the Gh0st RAT.
The Higaisa hacking group tends to mainly rely on spear-phishing email campaigns to distribute malware. According to security researchers, in one of the latest operations of the Higaisa APT, the infection vector utilized was malicious .LNK files. The .LNK files from their latest campaign were masked as harmless files such as exam results, CVs, job offers, etc. Earlier this year, the Higaisa hacking group used COVID-19-themed emails to propagate corrupted .LNK files to their targets.
If the user is tricked by the Higaisa APT and opens the corrupted file, they may not notice anything out of the ordinary. This is because this hacking group uses decoy files that will keep the attention of the user and prevent them from noticing that their system has been breached. The malicious .LNK file has a list of commands, which it will execute silently in the background. The command list will allow the threat to:
- Plant its files in the %APPDATA% directory on the compromised host.
- Decrypt and decompress the data from the LNK file.
To protect your system from cyber attacks, it is advisable to invest in a reputable, modern antivi-rus application.