Higaisa

Higaisa is a threat actor, or hacking group, believed to have its origins in South Korea according to Tencent's analysis. The group has been identified as targeting primarily North Korean government and trade organizations, but it has also extended its operations to China, Japan, Russia, Poland, and other nations. Higaisa utilizes real news and current events to distribute messages that contain malware, demonstrating a sophisticated approach to initial infection. In March 2020, PT Expert Security Center analyzed the activities of Higaisa, revealing the group's use of malicious shortcuts resembling a sample named "20200308-sitrep-48-covid-19.pdf.lnk". This particular technique was later borrowed by another threat actor, Winnti (APT41). The infection chain used by these LNK files was found to be very similar to an instance observed by Anomali in the same month, with the C&C network infrastructure correlating to Higaisa APT. The group's evolution over time was evident in May 2020 when several new malware samples were detected, seemingly originating from Higaisa. Unlike previous instances, the script copied the payload to the folder C:\Users\Public\Downloads, achieved persistence by adding itself to the startup folder and scheduler task, and ran the payload. This new attack instance indicates that Higaisa is actively updating their tactics, techniques, and procedures (TTPs), incorporating new backdoors with evasion techniques.