{
	"id": "00091859-9c02-43c6-adcb-b17ec2f0d660",
	"created_at": "2026-04-06T00:07:46.364108Z",
	"updated_at": "2026-04-10T03:29:57.937854Z",
	"deleted_at": null,
	"sha1_hash": "1b3ad758d95d3cdcda33384c51a1243ce5206751",
	"title": "New LNK attack tied to Higaisa APT discovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5980295,
	"plain_text": "New LNK attack tied to Higaisa APT discovered\r\nPublished: 2020-06-03 · Archived: 2026-04-05 13:22:51 UTC\r\nNebula support\r\nOneView support\r\nNebula sign in\r\nOneView sign in\r\nPartner Portal sign in\r\nProducts\r\nPartners\r\nResources\r\nWhy ThreatDown\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 2 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 3 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 4 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 5 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 6 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 7 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 8 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 9 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 10 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 11 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 12 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 13 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 14 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 15 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 16 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 17 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 18 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 19 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 20 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 21 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 22 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 23 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 24 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 25 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 26 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 27 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 28 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 29 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 30 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 31 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 32 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 33 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 34 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 35 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 36 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 37 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 38 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 39 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 40 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 41 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 42 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 43 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 44 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 45 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 46 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 47 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 48 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 49 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 50 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 51 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 52 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 53 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 54 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 55 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 56 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 57 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 58 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 59 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 60 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nArticle continues below this ad.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 61 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 62 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 63 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 64 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 65 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 66 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 67 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 68 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 69 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 70 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 71 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 72 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 73 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 74 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 75 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 76 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 77 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 78 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 79 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 80 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 81 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 82 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 83 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 84 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 85 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 86 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 87 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 88 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 89 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 90 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 91 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 92 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 93 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 94 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 95 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 96 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 97 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 98 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 99 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 100 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 101 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 102 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 103 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 104 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 105 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 106 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 107 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 108 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 109 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 110 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 111 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 112 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 113 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 114 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 115 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 116 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 117 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 118 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 119 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 120 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 121 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 122 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 123 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 124 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 125 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 126 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 127 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 128 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 129 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 130 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 131 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 132 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 133 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 134 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 135 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 136 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 137 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 138 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 139 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 140 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 141 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 142 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 143 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 144 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 145 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 146 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 147 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 148 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 149 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 150 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 151 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 152 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 153 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 154 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 155 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 156 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 157 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 158 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 159 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 160 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 161 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 162 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 163 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 164 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 165 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 166 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 167 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 168 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 169 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 170 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 171 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 172 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 173 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 174 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 175 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 176 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 177 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 178 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 179 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 180 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 181 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 182 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 183 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 184 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 185 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 186 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 187 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 188 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 189 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 190 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 191 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 192 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 193 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 194 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 195 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 196 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 197 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 198 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 199 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 200 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 201 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 202 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 203 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 204 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 205 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 206 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 207 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 208 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 209 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 210 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 211 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 212 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 213 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 214 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 215 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 216 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 217 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 218 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 219 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 220 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 221 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 222 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 223 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 224 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 225 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 226 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 227 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 228 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 229 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 230 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 231 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 232 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 233 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 234 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 235 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 236 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 237 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 238 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 239 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 240 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 241 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 242 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 243 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 244 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 245 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 246 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 247 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 248 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 249 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 250 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 251 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 252 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 253 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 254 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 255 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 256 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 257 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 258 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 259 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 260 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 261 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 262 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 263 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 264 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 265 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 266 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 267 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 268 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 269 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 270 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 271 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 272 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 273 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 274 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 275 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 276 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 277 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 278 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 279 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 280 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 281 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 282 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 283 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 284 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 285 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 286 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 287 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 288 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 289 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 290 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 291 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 292 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 293 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 294 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 295 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 296 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 297 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 298 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 299 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 300 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 301 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 302 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 303 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 304 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 305 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 306 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 307 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 308 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 309 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 310 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 311 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 312 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 313 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 314 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 315 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 316 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 317 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 318 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 319 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 320 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 321 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 322 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 323 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 324 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 325 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 326 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 327 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 328 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 329 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 330 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 331 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 332 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 333 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 334 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 335 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 336 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 337 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 338 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 339 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 340 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 341 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 342 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 343 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 344 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 345 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 346 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 347 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 348 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 349 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 350 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 351 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 352 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 353 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 354 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 355 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 356 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 357 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 358 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 359 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 360 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 361 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 362 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 363 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 364 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 365 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 366 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 367 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 368 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 369 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 370 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 371 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 372 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 373 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 374 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 375 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 376 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 377 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 378 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 379 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 380 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 381 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 382 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 383 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 384 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 385 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 386 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 387 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 388 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 389 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 390 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 391 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 392 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 393 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 394 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 395 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 396 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 397 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 398 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 399 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 400 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 401 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 402 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 403 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 404 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 405 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 406 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 407 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 408 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 409 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 410 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 411 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 412 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 413 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 414 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 415 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 416 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 417 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 418 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 419 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 420 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 421 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 422 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 423 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 424 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 425 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 426 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 427 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 428 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 429 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 430 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 431 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 432 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 433 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 434 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 435 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 436 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 437 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 438 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 439 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 440 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 441 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 442 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 443 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 444 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 445 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 446 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 447 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 448 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 449 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 450 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 451 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 452 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 453 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 454 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 455 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 456 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 457 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 458 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 459 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 460 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 461 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 462 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 463 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 464 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 465 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 466 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 467 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 468 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 469 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 470 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 471 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 472 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 473 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 474 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 475 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 476 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 477 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 478 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 479 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 480 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 481 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 482 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 483 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 484 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 485 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 486 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 487 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 488 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 489 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 490 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 491 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 492 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 493 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 494 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 495 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 496 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 497 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 498 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 499 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 500 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 501 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 502 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 503 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 504 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 505 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 506 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 507 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 508 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 509 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 510 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 511 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 512 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 513 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 514 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 515 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 516 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 517 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 518 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 519 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 520 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 521 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 522 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 523 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 524 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 525 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 526 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 527 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 528 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 529 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 530 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 531 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 532 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 533 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 534 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 535 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 536 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 537 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 538 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 539 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 540 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 541 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 542 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 543 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 544 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 545 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 546 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 547 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 548 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 549 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 550 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 551 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 552 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 553 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 554 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 555 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 556 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 557 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 558 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 559 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 560 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 561 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 562 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 563 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 564 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 565 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 566 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 567 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 568 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 569 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 570 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 571 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 572 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 573 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 574 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 575 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 576 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 577 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 578 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 579 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 580 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 581 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 582 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 583 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 584 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 585 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 586 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 587 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 588 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 589 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 590 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 591 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 592 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 593 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 594 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 595 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 596 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 597 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 598 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 599 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 600 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 601 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 602 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 603 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 604 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 605 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 606 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 607 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 608 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 609 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 610 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 611 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 612 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 613 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 614 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 615 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 616 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 617 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 618 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 619 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 620 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 621 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 622 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 623 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 624 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 625 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 626 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 627 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 628 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 629 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 630 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 631 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 632 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 633 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 634 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 635 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 636 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 637 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 638 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 639 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 640 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 641 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 642 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 643 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 644 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 645 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 646 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 647 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 648 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 649 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 650 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 651 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 652 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 653 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 654 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 655 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 656 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 657 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 658 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 659 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 660 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 661 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 662 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 663 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 664 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 665 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 666 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 667 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 668 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 669 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 670 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 671 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 672 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 673 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 674 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 675 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 676 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 677 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 678 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 679 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 680 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 681 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 682 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 683 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 684 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 685 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 686 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 687 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 688 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 689 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 690 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 691 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 692 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 693 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 694 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 695 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 696 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 697 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 698 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 699 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 700 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 701 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 702 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 703 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 704 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 705 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 706 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 707 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 708 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 709 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 710 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 711 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 712 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 713 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 714 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 715 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 716 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 717 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 718 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 719 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 720 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 721 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 722 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 723 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 724 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 725 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 726 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 727 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 728 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 729 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 730 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 731 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 732 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 733 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 734 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 735 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 736 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 737 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 738 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 739 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 740 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 741 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 742 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 743 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 744 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 745 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 746 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 747 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 748 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 749 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 750 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 751 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 752 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 753 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 754 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 755 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 756 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 757 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 758 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 759 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 760 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 761 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 762 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 763 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 764 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 765 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 766 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 767 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 768 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 769 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 770 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 771 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 772 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 773 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 774 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 775 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 776 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 777 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 778 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 779 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 780 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 781 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 782 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 783 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 784 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 785 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 786 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 787 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 788 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 789 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 790 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 791 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 792 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 793 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 794 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 795 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 796 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 797 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 798 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 799 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 800 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 801 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 802 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 803 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 804 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 805 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 806 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 807 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 808 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 809 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 810 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 811 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 812 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 813 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 814 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 815 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 816 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 817 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 818 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 819 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 820 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 821 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 822 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 823 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 824 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 825 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 826 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 827 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 828 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 829 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 830 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 831 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 832 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 833 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 834 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 835 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 836 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 837 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 838 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 839 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 840 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 841 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 842 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 843 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 844 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 845 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 846 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 847 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 848 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 849 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 850 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 851 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 852 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 853 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 854 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 855 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 856 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 857 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 858 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 859 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 860 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 861 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 862 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 863 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 864 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 865 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 866 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 867 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 868 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 869 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 870 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 871 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 872 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 873 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 874 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 875 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 876 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 877 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 878 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 879 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 880 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 881 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 882 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 883 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 884 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 885 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 886 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 887 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 888 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 889 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 890 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 891 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 892 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 893 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 894 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 895 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 896 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 897 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 898 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 899 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 900 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 901 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 902 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 903 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 904 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 905 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 906 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 907 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 908 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 909 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 910 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 911 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 912 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 913 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 914 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 915 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 916 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 917 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 918 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 919 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 920 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 921 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 922 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 923 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 924 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 925 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 926 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 927 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 928 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 929 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 930 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 931 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 932 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 933 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 934 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 935 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 936 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 937 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 938 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 939 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 940 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 941 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 942 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 943 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 944 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 945 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 946 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 947 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 948 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 949 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 950 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 951 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 952 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 953 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 954 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 955 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 956 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 957 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 958 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 959 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 960 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 961 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 962 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 963 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 964 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 965 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 966 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 967 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 968 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 969 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 970 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 971 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 972 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 973 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 974 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 975 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 976 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 977 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 978 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 979 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 980 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 981 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 982 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 983 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 984 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 985 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 986 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 987 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 988 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 989 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 990 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 991 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 992 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 993 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 994 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 995 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 996 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 997 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 998 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 999 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1000 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1001 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1002 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1003 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1004 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1005 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1006 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1007 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1008 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1009 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1010 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1011 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1012 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1013 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1014 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1015 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1016 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1017 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1018 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1019 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1020 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1021 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1022 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1023 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1024 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1025 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1026 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1027 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1028 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1029 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1030 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1031 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1032 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1033 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1034 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1035 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1036 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1037 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1038 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1039 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1040 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1041 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1042 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1043 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1044 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1045 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1046 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1047 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1048 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1049 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1050 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1051 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1052 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1053 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1054 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1055 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1056 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1057 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1058 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1059 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1060 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1061 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1062 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1063 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1064 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1065 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1066 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1067 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1068 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1069 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1070 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1071 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1072 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1073 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1074 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1075 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1076 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1077 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1078 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1079 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1080 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1081 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1082 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1083 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1084 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1085 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1086 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1087 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1088 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1089 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1090 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1091 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1092 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1093 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1094 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1095 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1096 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1097 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1098 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1099 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1100 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1101 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1102 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1103 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1104 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1105 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1106 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1107 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1108 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1109 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1110 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1111 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1112 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1113 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1114 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1115 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1116 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1117 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1118 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1119 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1120 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1121 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1122 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1123 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1124 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1125 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1126 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1127 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1128 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1129 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1130 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1131 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1132 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1133 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1134 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1135 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1136 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1137 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1138 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1139 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1140 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1141 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1142 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1143 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1144 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1145 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1146 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1147 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1148 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1149 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1150 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1151 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1152 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1153 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1154 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1155 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1156 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1157 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1158 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1159 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1160 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1161 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1162 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1163 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1164 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1165 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1166 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1167 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1168 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1169 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1170 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1171 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1172 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1173 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1174 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1175 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1176 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1177 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1178 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1179 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1180 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1181 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1182 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1183 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1184 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1185 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1186 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1187 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1188 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1189 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1190 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1191 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1192 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1193 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1194 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1195 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1196 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1197 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1198 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1199 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1200 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1201 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1202 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1203 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1204 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1205 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1206 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1207 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1208 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1209 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1210 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1211 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1212 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1213 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1214 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1215 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1216 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1217 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1218 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1219 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1220 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1221 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1222 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1223 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1224 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1225 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1226 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1227 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1228 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1229 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1230 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1231 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1232 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1233 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1234 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1235 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1236 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1237 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1238 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1239 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1240 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1241 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1242 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1243 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1244 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1245 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1246 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1247 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1248 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1249 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1250 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1251 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1252 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1253 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1254 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1255 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1256 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1257 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1258 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1259 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1260 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1261 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1262 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1263 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1264 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1265 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1266 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1267 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1268 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1269 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1270 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1271 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1272 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1273 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1274 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1275 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1276 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1277 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1278 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1279 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1280 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1281 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1282 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1283 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1284 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1285 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1286 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1287 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1288 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1289 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1290 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1291 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1292 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1293 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1294 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1295 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1296 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1297 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1298 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1299 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1300 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1301 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1302 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1303 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1304 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1305 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1306 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1307 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1308 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1309 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1310 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1311 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1312 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1313 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1314 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1315 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1316 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1317 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1318 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1319 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1320 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1321 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1322 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1323 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1324 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1325 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1326 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1327 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1328 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1329 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1330 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1331 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1332 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1333 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1334 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1335 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1336 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1337 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1338 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1339 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1340 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1341 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1342 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1343 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1344 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1345 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1346 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1347 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1348 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1349 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1350 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1351 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1352 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1353 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1354 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1355 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1356 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1357 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1358 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1359 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1360 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1361 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1362 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1363 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1364 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1365 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1366 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1367 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1368 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1369 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1370 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1371 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1372 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1373 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1374 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1375 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1376 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1377 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1378 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1379 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1380 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1381 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1382 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1383 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1384 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1385 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1386 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1387 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1388 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1389 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1390 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1391 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1392 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1393 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1394 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1395 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1396 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1397 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1398 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1399 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1400 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1401 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1402 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1403 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1404 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1405 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1406 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1407 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1408 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1409 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1410 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1411 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1412 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1413 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1414 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1415 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1416 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1417 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1418 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1419 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1420 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1421 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1422 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1423 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1424 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1425 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1426 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1427 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1428 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1429 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1430 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1431 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1432 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1433 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1434 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1435 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1436 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1437 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1438 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1439 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1440 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1441 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1442 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1443 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1444 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1445 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1446 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1447 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1448 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1449 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1450 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1451 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1452 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1453 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1454 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1455 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1456 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1457 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1458 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1459 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1460 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1461 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1462 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1463 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1464 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1465 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1466 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1467 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1468 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1469 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1470 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1471 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1472 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1473 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1474 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1475 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1476 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1477 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1478 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1479 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1480 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1481 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1482 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1483 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1484 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1485 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1486 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1487 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1488 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1489 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1490 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1491 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1492 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1493 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1494 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1495 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1496 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1497 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1498 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1499 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1500 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1501 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1502 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1503 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1504 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1505 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1506 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1507 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1508 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1509 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1510 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1511 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1512 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1513 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1514 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1515 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1516 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1517 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1518 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1519 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1520 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1521 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1522 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1523 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1524 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1525 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1526 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1527 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1528 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1529 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1530 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1531 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1532 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1533 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1534 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1535 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1536 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1537 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1538 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1539 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1540 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1541 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1542 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1543 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1544 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1545 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1546 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1547 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1548 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1549 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1550 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1551 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1552 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1553 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1554 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1555 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1556 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1557 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1558 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1559 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1560 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1561 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1562 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1563 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1564 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1565 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1566 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1567 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1568 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1569 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1570 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1571 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1572 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1573 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1574 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1575 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1576 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1577 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1578 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1579 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1580 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1581 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1582 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1583 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1584 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1585 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1586 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1587 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1588 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1589 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1590 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1591 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1592 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1593 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1594 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1595 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1596 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1597 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1598 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1599 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1600 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1601 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1602 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1603 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1604 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1605 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1606 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1607 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1608 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1609 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1610 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1611 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1612 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1613 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1614 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1615 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1616 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1617 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1618 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1619 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1620 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1621 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1622 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1623 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1624 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1625 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1626 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1627 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1628 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1629 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1630 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1631 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1632 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1633 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1634 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1635 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1636 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1637 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1638 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1639 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1640 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1641 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1642 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1643 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1644 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1645 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1646 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1647 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1648 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1649 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1650 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1651 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1652 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1653 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1654 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1655 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1656 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1657 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1658 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1659 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1660 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1661 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1662 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1663 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1664 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1665 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1666 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1667 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1668 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1669 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1670 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1671 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1672 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1673 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1674 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1675 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1676 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1677 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1678 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1679 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1680 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1681 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1682 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1683 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1684 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1685 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1686 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1687 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1688 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1689 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1690 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1691 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1692 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1693 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1694 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1695 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1696 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1697 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1698 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1699 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1700 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1701 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1702 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1703 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1704 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1705 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1706 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1707 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1708 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1709 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1710 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1711 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1712 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1713 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1714 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1715 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1716 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1717 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1718 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1719 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1720 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1721 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1722 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1723 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1724 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1725 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1726 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1727 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1728 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1729 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1730 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1731 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1732 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1733 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1734 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1735 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1736 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1737 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1738 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1739 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1740 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1741 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1742 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1743 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1744 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1745 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1746 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1747 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1748 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1749 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1750 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1751 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1752 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1753 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1754 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1755 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1756 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1757 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1758 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1759 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1760 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1761 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1762 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1763 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1764 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1765 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1766 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1767 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1768 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1769 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1770 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1771 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1772 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1773 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1774 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1775 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1776 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1777 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1778 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1779 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1780 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1781 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1782 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1783 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1784 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1785 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1786 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1787 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1788 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1789 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1790 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1791 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1792 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1793 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1794 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1795 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1796 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1797 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1798 of 1874\n\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1799 of 1874\n\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1800 of 1874\n\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1801 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1802 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1803 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1804 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1805 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1806 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1807 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1808 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1809 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1810 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1811 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1812 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1813 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1814 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1815 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1816 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1817 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1818 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1819 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1820 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1821 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1822 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1823 of 1874\n\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1824 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1825 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1826 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1827 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1828 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1829 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1830 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1831 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1832 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1833 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1834 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1835 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1836 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1837 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1838 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1839 of 1874\n\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1840 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1841 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1842 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1843 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1844 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1845 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1846 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1847 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1848 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1849 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1850 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1851 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1852 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1853 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1854 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1855 of 1874\n\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1856 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1857 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1858 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1859 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1860 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1861 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1862 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1863 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nThis post was authored by Hossein Jazi and Jérôme Segura\r\nOn May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent\r\nThreat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first\r\ndisclosed by Tencent Security Threat Intelligence Center in early 2019.\r\nThe group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as\r\nmobile malware. Its targets include government officials and human rights organizations, as well as other entities\r\nrelated to North Korea.\r\nIn this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage\r\nattack that consists of several malicious scripts, payloads and decoy PDF documents.\r\nDistribution\r\nThe threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via\r\nspear-phishing.\r\nWe were able to identify two variants of this campaign that possibly have been distributed between May 12th and\r\n31st:\r\n“CV_Colliers.rar”\r\n“Project link and New copyright policy.rar”\r\nBoth RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are\r\ndisguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.\r\nThe older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.\r\nThe following shows the overall process flow when executing the malicious LNK file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1864 of 1874\n\nLNK file\r\nThe LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded\r\ncompressed payload. Here is the list of commands that will be executed:\r\nCopy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.\r\nCopy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).\r\nLook for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.\r\nDecode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to\r\n“o423DFDS4.tmp”.\r\nDecompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using\r\n“expand.exe -F:*” (Figure 3) .\r\nCopy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.\r\nExecute the JS file by calling Wscript.\r\nOpen the decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1865 of 1874\n\nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\r\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\r\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.\r\nBoth LNK files embedded within the archive are executing similar commands with the different Command and\r\nControl (C\u0026C) configurations. Running each of them would show a different decoy document.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1866 of 1874\n\nJS file\r\nThe JavaScript file performs the following commands:\r\nCreate “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.\r\nExecute the dropped “svchast.exe”.\r\nCopy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.\r\nAdd “officeupdate.exe” to scheduled tasks.\r\nSend a POST request to a hardcoded URL with “d3reEW.exe” as data.\r\nsvchast.exe\r\nSvchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1867 of 1874\n\nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\r\nshellcode.\r\nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1868 of 1874\n\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1869 of 1874\n\nFinally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C\u0026C\r\nserver.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1870 of 1874\n\nAt the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.\r\nChaining techniques for evasion\r\nWhile most malware campaigns use a simple decoy document that typically retrieves a malware payload, more\r\nadvanced attackers will often try unconventional means to infect their victims.\r\nWe reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR\r\nand therefore completely stopped the attack.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1871 of 1874\n\nIOCs\r\nCV_Colliers.rar\r\ndf999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d\r\nProject link and New copyright policy.rar\r\nc3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\n50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9\r\nTokbox icon – Odds and Ends – iOS – Zeplin.lnk\r\n1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81\r\nInternational English Language Testing System certificate.pdf.lnk\r\nc613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b\r\nCurriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk\r\ndcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6\r\nConversations – iOS – Swipe Icons – Zeplin.lnk\r\nc0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1872 of 1874\n\nC2 domains (ipconfig exfiltration)\r\nsixindent[.]epizy[.]com\r\ngoodhk[.]azurewebsites[.]net\r\nzeplin[.]atwebpages[.]com\r\nC2s used by svchast.exe\r\n45.76.6[.]149\r\nwww.comcleanner[.]info\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Details\r\nExecution T1059\r\nCommand-Line\r\nInterface\r\nStarts CMD.EXE for\r\ncommands (WinRAR.exe,\r\nwscript.exe) execution\r\nT1106 Execution through API\r\nApplication\r\n(AcroRd32.exe) launched\r\nitself\r\nT1053 Scheduled Task\r\nLoads the Task Scheduler\r\nDLL interface\r\n(Officeupdate.exe)\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1204 User Execution\r\nManual execution by user\r\n(opening LNK file)\r\nPersistence T1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nWrites to a start menu file\r\n(Officeupdate.exe)\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nUses Task Scheduler to run\r\nother applications\r\n(Officeupdate.exe)\r\nDefense\r\nEvasion\r\nT1064 Scripting\r\nExecutes scripts\r\n(34fDFkfSD38.js)\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\ncertutil to decode Base64\r\nbinaries, expand.exe to\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1873 of 1874\n\ndecompress a CAB file\r\nDiscovery T1012 Query Registry\r\nReads the machine GUID\r\nfrom the registry\r\nT1082\r\nSystem Information\r\nDiscovery\r\nReads the machine GUID\r\nfrom the registry\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nUses IPCONFIG.EXE to\r\ndiscover IP address\r\nCategories\r\nRelated articles\r\nSource: https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/\r\nPage 1874 of 1874\n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 8 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 14 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 29 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 44 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 46 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 55 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 63 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 65 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 77 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 79 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 92 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 94 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 101 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 108 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 110 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 117 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 125 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 127 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 142 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 144 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 152 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 160 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 162 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 178 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 180 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 187 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 189 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 197 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 199 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 208 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 216 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 218 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 231 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 239 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 241 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 255 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 263 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 265 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 272 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 280 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 288 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 290 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 297 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 306 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 314 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 316 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 332 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 340 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 342 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 350 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 359 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 367 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 369 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 386 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 394 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 396 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 403 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 405 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 414 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 422 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 424 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 435 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 437 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 446 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 454 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 456 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 468 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 470 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 479 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 487 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 489 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 496 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 502 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 504 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 513 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 521 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 523 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 530 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 537 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 539 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 548 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 556 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 558 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 572 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 574 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 583 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 591 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 593 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 601 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 608 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 610 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 619 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 627 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 629 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 644 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 646 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 655 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 663 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 665 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 684 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 686 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 695 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 703 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 705 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 725 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 727 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 736 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 744 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 746 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 753 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 767 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 769 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 778 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 786 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 788 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 795 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 810 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 812 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 821 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 829 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 831 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 853 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 855 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 864 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 872 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 874 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 882 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 897 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 899 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 908 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 916 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 918 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 930 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 945 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 947 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 956 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 964 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 966 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 979 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 994 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 996 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1005 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1013 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1015 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1022 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1029 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1044 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1046 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1055 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1063 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1065 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1072 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1080 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1095 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1097 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1106 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1114 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1116 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1131 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1146 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1148 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1157 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1165 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1167 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1186 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1201 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1203 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1212 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1220 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1222 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1242 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1257 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1259 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1268 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1276 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1278 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1285 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1299 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1314 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1316 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1325 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1333 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1335 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1342 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1357 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1372 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1374 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1383 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1391 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1393 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1404 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1419 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1434 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1436 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1445 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1453 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1455 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1467 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1482 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1497 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1499 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1508 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1516 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1518 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1525 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1531 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1546 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1561 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1563 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1572 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1580 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1582 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1593 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1599 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1614 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1629 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1631 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1640 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1648 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1650 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1662 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1668 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1683 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1698 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1700 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1709 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1717 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1719 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1735 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1741 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1756 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1771 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1773 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1782 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1790 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1792 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1811 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1817 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1832 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1847 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1849 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1858 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nThe list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia\nCovid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new\ncase is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  \nBoth LNK files embedded within the archive are executing similar commands with the different Command and\nControl (C\u0026C) configurations. Running each of them would show a different decoy document. \n   Page 1866 of 1874   \n\n  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    \nIn fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final\nshellcode.      \nThe final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.\n   Page 1868 of 1874",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/"
	],
	"report_names": [
		"higaisa"
	],
	"threat_actors": [
		{
			"id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20",
			"created_at": "2023-01-06T13:46:39.138138Z",
			"updated_at": "2026-04-10T02:00:03.227223Z",
			"deleted_at": null,
			"main_name": "Higaisa",
			"aliases": [],
			"source_name": "MISPGALAXY:Higaisa",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0",
			"created_at": "2022-10-25T15:50:23.400822Z",
			"updated_at": "2026-04-10T02:00:05.350302Z",
			"deleted_at": null,
			"main_name": "Higaisa",
			"aliases": [
				"Higaisa"
			],
			"source_name": "MITRE:Higaisa",
			"tools": [
				"PlugX",
				"certutil",
				"gh0st RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c0cedde3-5a9b-430f-9b77-e6568307205e",
			"created_at": "2022-10-25T16:07:23.528994Z",
			"updated_at": "2026-04-10T02:00:04.642473Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"APT-C-06",
				"ATK 52",
				"CTG-1948",
				"Dubnium",
				"Fallout Team",
				"G0012",
				"G0126",
				"Higaisa",
				"Luder",
				"Operation DarkHotel",
				"Operation Daybreak",
				"Operation Inexsmar",
				"Operation PowerFall",
				"Operation The Gh0st Remains the Same",
				"Purple Pygmy",
				"SIG25",
				"Shadow Crane",
				"T-APT-02",
				"TieOnJoe",
				"Tungsten Bridge",
				"Zigzag Hail"
			],
			"source_name": "ETDA:DarkHotel",
			"tools": [
				"Asruex",
				"DarkHotel",
				"DmaUp3.exe",
				"GreezeBackdoor",
				"Karba",
				"Nemain",
				"Nemim",
				"Ramsay",
				"Retro",
				"Tapaoux",
				"Trojan.Win32.Karba.e",
				"Virus.Win32.Pioneer.dx",
				"igfxext.exe",
				"msieckc.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434066,
	"ts_updated_at": 1775791797,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b3ad758d95d3cdcda33384c51a1243ce5206751.pdf",
		"text": "https://archive.orkl.eu/1b3ad758d95d3cdcda33384c51a1243ce5206751.txt",
		"img": "https://archive.orkl.eu/1b3ad758d95d3cdcda33384c51a1243ce5206751.jpg"
	}
}