New LNK attack tied to Higaisa APT discovered
Published: 2020-06-03 · Archived: 2026-04-05 13:22:51 UTC
Nebula support
OneView support
Nebula sign in
OneView sign in
Partner Portal sign in
Products
Partners
Resources
Why ThreatDown
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 2 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 3 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 4 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 5 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 6 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 7 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 8 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 9 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 10 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 11 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 12 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 13 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 14 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 15 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 16 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 17 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 18 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 19 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 20 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 21 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 22 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 23 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 24 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 25 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 26 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 27 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 28 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 29 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 30 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 31 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 32 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 33 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 34 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 35 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 36 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 37 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 38 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 39 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 40 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 41 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 42 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 43 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 44 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 45 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 46 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 47 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 48 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 49 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 50 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 51 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 52 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 53 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 54 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 55 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 56 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 57 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 58 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 59 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 60 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
Article continues below this ad.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 61 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 62 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 63 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 64 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 65 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 66 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 67 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 68 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 69 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 70 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 71 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 72 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 73 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 74 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 75 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 76 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 77 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 78 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 79 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 80 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 81 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 82 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 83 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 84 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 85 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 86 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 87 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 88 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 89 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 90 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 91 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 92 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 93 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 94 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 95 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 96 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 97 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 98 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 99 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 100 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 101 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 102 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 103 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 104 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 105 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 106 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 107 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 108 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 109 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 110 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 111 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 112 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 113 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 114 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 115 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 116 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 117 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 118 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 119 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 120 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 121 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 122 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 123 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 124 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 125 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 126 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 127 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 128 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 129 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 130 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 131 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 132 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 133 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 134 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 135 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 136 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 137 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 138 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 139 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 140 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 141 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 142 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 143 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 144 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 145 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 146 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 147 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 148 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 149 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 150 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 151 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 152 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 153 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 154 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 155 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 156 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 157 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 158 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 159 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 160 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 161 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 162 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 163 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 164 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 165 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 166 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 167 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 168 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 169 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 170 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 171 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 172 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 173 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 174 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 175 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 176 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 177 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 178 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 179 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 180 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 181 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 182 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 183 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 184 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 185 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 186 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 187 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 188 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 189 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 190 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 191 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 192 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 193 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 194 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 195 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 196 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 197 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 198 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 199 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 200 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 201 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 202 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 203 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 204 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 205 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 206 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 207 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 208 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 209 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 210 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 211 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 212 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 213 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 214 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 215 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 216 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 217 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 218 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 219 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 220 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 221 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 222 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 223 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 224 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 225 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 226 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 227 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 228 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 229 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 230 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 231 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 232 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 233 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 234 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 235 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 236 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 237 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 238 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 239 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 240 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 241 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 242 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 243 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 244 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 245 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 246 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 247 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 248 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 249 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 250 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 251 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 252 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 253 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 254 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 255 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 256 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 257 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 258 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 259 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 260 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 261 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 262 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 263 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 264 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 265 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 266 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 267 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 268 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 269 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 270 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 271 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 272 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 273 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 274 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 275 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 276 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 277 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 278 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 279 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 280 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 281 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 282 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 283 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 284 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 285 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 286 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 287 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 288 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 289 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 290 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 291 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 292 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 293 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 294 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 295 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 296 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 297 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 298 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 299 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 300 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 301 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 302 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 303 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 304 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 305 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 306 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 307 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 308 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 309 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 310 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 311 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 312 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 313 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 314 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 315 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 316 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 317 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 318 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 319 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 320 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 321 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 322 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 323 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 324 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 325 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 326 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 327 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 328 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 329 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 330 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 331 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 332 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 333 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 334 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 335 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 336 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 337 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 338 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 339 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 340 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 341 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 342 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 343 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 344 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 345 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 346 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 347 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 348 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 349 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 350 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 351 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 352 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 353 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 354 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 355 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 356 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 357 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 358 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 359 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 360 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 361 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 362 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 363 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 364 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 365 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 366 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 367 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 368 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 369 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 370 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 371 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 372 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 373 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 374 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 375 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 376 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 377 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 378 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 379 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 380 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 381 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 382 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 383 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 384 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 385 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 386 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 387 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 388 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 389 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 390 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 391 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 392 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 393 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 394 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 395 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 396 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 397 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 398 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 399 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 400 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 401 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 402 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 403 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 404 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 405 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 406 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 407 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 408 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 409 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 410 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 411 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 412 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 413 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 414 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 415 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 416 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 417 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 418 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 419 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 420 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 421 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 422 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 423 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 424 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 425 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 426 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 427 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 428 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 429 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 430 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 431 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 432 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 433 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 434 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 435 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 436 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 437 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 438 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 439 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 440 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 441 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 442 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 443 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 444 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 445 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 446 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 447 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 448 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 449 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 450 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 451 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 452 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 453 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 454 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 455 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 456 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 457 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 458 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 459 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 460 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 461 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 462 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 463 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 464 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 465 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 466 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 467 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 468 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 469 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 470 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 471 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 472 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 473 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 474 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 475 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 476 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 477 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 478 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 479 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 480 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 481 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 482 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 483 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 484 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 485 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 486 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 487 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 488 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 489 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 490 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 491 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 492 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 493 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 494 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 495 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 496 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 497 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 498 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 499 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 500 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 501 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 502 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 503 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 504 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 505 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 506 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 507 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 508 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 509 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 510 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 511 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 512 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 513 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 514 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 515 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 516 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 517 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 518 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 519 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 520 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 521 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 522 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 523 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 524 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 525 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 526 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 527 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 528 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 529 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 530 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 531 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 532 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 533 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 534 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 535 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 536 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 537 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 538 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 539 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 540 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 541 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 542 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 543 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 544 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 545 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 546 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 547 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 548 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 549 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 550 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 551 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 552 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 553 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 554 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 555 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 556 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 557 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 558 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 559 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 560 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 561 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 562 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 563 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 564 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 565 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 566 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 567 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 568 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 569 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 570 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 571 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 572 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 573 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 574 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 575 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 576 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 577 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 578 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 579 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 580 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 581 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 582 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 583 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 584 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 585 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 586 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 587 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 588 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 589 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 590 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 591 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 592 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 593 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 594 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 595 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 596 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 597 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 598 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 599 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 600 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 601 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 602 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 603 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 604 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 605 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 606 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 607 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 608 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 609 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 610 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 611 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 612 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 613 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 614 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 615 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 616 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 617 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 618 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 619 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 620 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 621 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 622 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 623 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 624 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 625 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 626 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 627 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 628 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 629 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 630 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 631 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 632 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 633 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 634 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 635 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 636 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 637 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 638 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 639 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 640 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 641 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 642 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 643 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 644 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 645 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 646 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 647 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 648 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 649 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 650 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 651 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 652 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 653 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 654 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 655 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 656 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 657 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 658 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 659 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 660 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 661 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 662 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 663 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 664 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 665 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 666 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 667 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 668 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 669 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 670 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 671 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 672 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 673 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 674 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 675 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 676 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 677 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 678 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 679 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 680 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 681 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 682 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 683 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 684 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 685 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 686 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 687 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 688 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 689 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 690 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 691 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 692 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 693 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 694 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 695 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 696 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 697 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 698 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 699 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 700 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 701 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 702 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 703 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 704 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 705 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 706 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 707 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 708 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 709 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 710 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 711 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 712 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 713 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 714 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 715 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 716 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 717 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 718 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 719 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 720 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 721 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 722 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 723 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 724 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 725 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 726 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 727 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 728 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 729 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 730 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 731 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 732 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 733 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 734 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 735 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 736 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 737 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 738 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 739 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 740 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 741 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 742 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 743 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 744 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 745 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 746 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 747 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 748 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 749 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 750 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 751 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 752 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 753 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 754 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 755 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 756 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 757 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 758 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 759 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 760 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 761 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 762 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 763 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 764 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 765 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 766 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 767 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 768 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 769 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 770 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 771 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 772 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 773 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 774 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 775 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 776 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 777 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 778 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 779 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 780 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 781 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 782 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 783 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 784 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 785 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 786 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 787 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 788 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 789 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 790 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 791 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 792 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 793 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 794 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 795 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 796 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 797 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 798 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 799 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 800 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 801 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 802 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 803 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 804 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 805 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 806 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 807 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 808 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 809 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 810 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 811 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 812 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 813 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 814 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 815 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 816 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 817 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 818 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 819 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 820 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 821 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 822 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 823 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 824 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 825 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 826 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 827 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 828 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 829 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 830 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 831 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 832 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 833 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 834 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 835 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 836 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 837 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 838 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 839 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 840 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 841 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 842 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 843 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 844 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 845 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 846 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 847 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 848 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 849 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 850 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 851 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 852 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 853 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 854 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 855 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 856 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 857 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 858 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 859 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 860 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 861 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 862 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 863 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 864 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 865 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 866 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 867 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 868 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 869 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 870 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 871 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 872 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 873 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 874 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 875 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 876 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 877 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 878 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 879 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 880 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 881 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 882 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 883 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 884 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 885 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 886 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 887 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 888 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 889 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 890 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 891 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 892 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 893 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 894 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 895 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 896 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 897 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 898 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 899 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 900 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 901 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 902 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 903 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 904 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 905 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 906 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 907 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 908 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 909 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 910 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 911 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 912 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 913 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 914 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 915 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 916 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 917 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 918 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 919 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 920 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 921 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 922 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 923 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 924 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 925 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 926 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 927 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 928 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 929 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 930 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 931 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 932 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 933 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 934 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 935 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 936 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 937 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 938 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 939 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 940 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 941 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 942 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 943 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 944 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 945 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 946 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 947 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 948 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 949 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 950 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 951 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 952 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 953 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 954 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 955 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 956 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 957 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 958 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 959 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 960 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 961 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 962 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 963 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 964 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 965 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 966 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 967 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 968 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 969 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 970 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 971 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 972 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 973 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 974 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 975 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 976 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 977 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 978 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 979 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 980 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 981 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 982 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 983 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 984 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 985 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 986 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 987 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 988 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 989 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 990 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 991 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 992 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 993 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 994 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 995 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 996 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 997 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 998 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 999 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1000 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1001 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1002 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1003 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1004 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1005 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1006 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1007 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1008 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1009 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1010 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1011 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1012 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1013 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1014 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1015 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1016 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1017 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1018 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1019 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1020 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1021 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1022 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1023 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1024 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1025 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1026 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1027 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1028 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1029 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1030 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1031 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1032 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1033 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1034 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1035 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1036 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1037 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1038 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1039 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1040 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1041 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1042 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1043 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1044 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1045 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1046 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1047 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1048 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1049 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1050 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1051 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1052 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1053 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1054 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1055 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1056 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1057 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1058 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1059 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1060 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1061 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1062 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1063 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1064 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1065 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1066 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1067 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1068 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1069 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1070 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1071 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1072 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1073 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1074 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1075 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1076 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1077 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1078 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1079 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1080 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1081 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1082 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1083 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1084 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1085 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1086 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1087 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1088 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1089 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1090 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1091 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1092 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1093 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1094 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1095 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1096 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1097 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1098 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1099 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1100 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1101 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1102 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1103 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1104 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1105 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1106 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1107 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1108 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1109 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1110 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1111 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1112 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1113 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1114 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1115 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1116 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1117 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1118 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1119 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1120 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1121 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1122 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1123 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1124 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1125 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1126 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1127 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1128 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1129 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1130 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1131 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1132 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1133 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1134 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1135 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1136 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1137 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1138 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1139 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1140 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1141 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1142 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1143 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1144 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1145 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1146 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1147 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1148 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1149 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1150 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1151 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1152 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1153 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1154 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1155 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1156 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1157 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1158 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1159 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1160 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1161 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1162 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1163 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1164 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1165 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1166 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1167 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1168 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1169 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1170 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1171 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1172 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1173 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1174 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1175 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1176 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1177 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1178 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1179 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1180 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1181 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1182 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1183 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1184 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1185 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1186 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1187 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1188 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1189 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1190 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1191 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1192 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1193 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1194 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1195 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1196 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1197 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1198 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1199 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1200 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1201 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1202 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1203 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1204 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1205 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1206 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1207 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1208 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1209 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1210 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1211 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1212 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1213 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1214 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1215 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1216 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1217 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1218 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1219 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1220 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1221 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1222 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1223 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1224 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1225 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1226 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1227 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1228 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1229 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1230 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1231 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1232 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1233 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1234 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1235 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1236 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1237 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1238 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1239 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1240 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1241 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1242 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1243 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1244 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1245 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1246 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1247 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1248 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1249 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1250 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1251 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1252 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1253 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1254 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1255 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1256 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1257 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1258 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1259 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1260 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1261 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1262 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1263 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1264 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1265 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1266 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1267 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1268 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1269 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1270 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1271 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1272 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1273 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1274 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1275 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1276 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1277 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1278 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1279 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1280 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1281 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1282 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1283 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1284 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1285 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1286 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1287 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1288 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1289 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1290 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1291 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1292 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1293 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1294 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1295 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1296 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1297 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1298 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1299 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1300 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1301 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1302 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1303 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1304 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1305 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1306 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1307 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1308 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1309 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1310 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1311 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1312 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1313 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1314 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1315 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1316 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1317 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1318 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1319 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1320 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1321 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1322 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1323 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1324 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1325 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1326 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1327 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1328 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1329 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1330 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1331 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1332 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1333 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1334 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1335 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1336 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1337 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1338 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1339 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1340 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1341 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1342 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1343 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1344 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1345 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1346 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1347 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1348 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1349 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1350 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1351 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1352 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1353 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1354 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1355 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1356 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1357 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1358 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1359 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1360 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1361 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1362 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1363 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1364 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1365 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1366 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1367 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1368 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1369 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1370 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1371 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1372 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1373 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1374 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1375 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1376 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1377 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1378 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1379 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1380 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1381 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1382 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1383 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1384 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1385 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1386 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1387 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1388 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1389 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1390 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1391 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1392 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1393 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1394 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1395 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1396 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1397 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1398 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1399 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1400 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1401 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1402 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1403 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1404 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1405 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1406 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1407 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1408 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1409 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1410 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1411 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1412 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1413 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1414 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1415 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1416 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1417 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1418 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1419 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1420 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1421 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1422 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1423 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1424 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1425 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1426 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1427 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1428 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1429 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1430 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1431 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1432 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1433 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1434 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1435 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1436 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1437 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1438 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1439 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1440 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1441 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1442 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1443 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1444 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1445 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1446 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1447 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1448 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1449 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1450 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1451 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1452 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1453 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1454 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1455 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1456 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1457 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1458 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1459 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1460 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1461 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1462 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1463 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1464 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1465 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1466 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1467 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1468 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1469 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1470 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1471 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1472 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1473 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1474 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1475 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1476 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1477 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1478 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1479 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1480 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1481 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1482 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1483 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1484 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1485 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1486 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1487 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1488 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1489 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1490 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1491 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1492 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1493 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1494 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1495 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1496 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1497 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1498 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1499 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1500 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1501 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1502 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1503 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1504 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1505 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1506 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1507 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1508 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1509 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1510 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1511 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1512 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1513 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1514 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1515 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1516 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1517 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1518 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1519 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1520 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1521 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1522 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1523 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1524 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1525 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1526 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1527 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1528 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1529 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1530 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1531 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1532 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1533 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1534 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1535 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1536 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1537 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1538 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1539 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1540 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1541 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1542 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1543 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1544 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1545 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1546 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1547 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1548 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1549 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1550 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1551 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1552 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1553 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1554 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1555 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1556 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1557 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1558 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1559 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1560 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1561 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1562 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1563 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1564 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1565 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1566 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1567 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1568 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1569 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1570 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1571 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1572 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1573 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1574 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1575 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1576 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1577 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1578 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1579 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1580 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1581 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1582 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1583 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1584 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1585 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1586 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1587 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1588 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1589 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1590 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1591 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1592 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1593 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1594 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1595 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1596 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1597 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1598 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1599 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1600 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1601 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1602 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1603 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1604 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1605 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1606 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1607 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1608 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1609 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1610 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1611 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1612 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1613 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1614 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1615 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1616 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1617 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1618 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1619 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1620 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1621 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1622 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1623 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1624 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1625 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1626 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1627 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1628 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1629 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1630 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1631 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1632 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1633 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1634 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1635 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1636 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1637 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1638 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1639 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1640 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1641 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1642 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1643 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1644 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1645 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1646 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1647 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1648 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1649 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1650 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1651 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1652 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1653 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1654 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1655 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1656 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1657 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1658 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1659 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1660 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1661 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1662 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1663 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1664 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1665 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1666 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1667 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1668 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1669 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1670 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1671 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1672 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1673 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1674 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1675 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1676 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1677 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1678 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1679 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1680 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1681 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1682 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1683 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1684 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1685 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1686 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1687 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1688 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1689 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1690 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1691 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1692 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1693 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1694 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1695 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1696 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1697 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1698 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1699 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1700 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1701 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1702 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1703 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1704 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1705 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1706 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1707 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1708 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1709 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1710 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1711 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1712 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1713 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1714 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1715 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1716 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1717 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1718 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1719 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1720 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1721 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1722 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1723 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1724 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1725 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1726 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1727 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1728 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1729 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1730 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1731 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1732 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1733 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1734 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1735 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1736 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1737 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1738 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1739 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1740 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1741 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1742 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1743 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1744 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1745 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1746 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1747 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1748 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1749 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1750 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1751 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1752 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1753 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1754 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1755 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1756 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1757 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1758 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1759 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1760 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1761 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1762 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1763 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1764 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1765 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1766 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1767 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1768 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1769 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1770 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1771 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1772 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1773 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1774 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1775 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1776 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1777 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1778 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1779 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1780 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1781 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1782 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1783 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1784 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1785 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1786 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1787 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1788 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1789 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1790 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1791 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1792 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1793 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1794 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1795 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1796 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1797 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1798 of 1874

While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1799 of 1874

Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1800 of 1874

Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140
Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1801 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1802 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1803 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1804 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1805 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1806 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1807 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1808 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1809 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1810 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1811 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1812 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1813 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1814 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1815 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1816 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1817 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1818 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1819 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1820 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1821 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1822 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1823 of 1874

Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1824 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1825 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1826 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1827 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1828 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1829 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1830 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1831 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1832 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1833 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1834 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1835 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1836 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1837 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1838 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1839 of 1874

svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1840 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1841 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1842 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1843 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1844 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1845 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1846 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1847 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1848 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1849 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1850 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1851 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1852 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1853 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1854 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1855 of 1874

Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1856 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1857 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1858 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1859 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1860 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1861 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1862 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1863 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
This post was authored by Hossein Jazi and Jérôme Segura
On May 29th, we identified an attack that we believe is part of a new campaign from an Advanced Persistent
Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first
disclosed by Tencent Security Threat Intelligence Center in early 2019.
The group’s activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as
mobile malware. Its targets include government officials and human rights organizations, as well as other entities
related to North Korea.
In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage
attack that consists of several malicious scripts, payloads and decoy PDF documents.
Distribution
The threat actors used a malicious LNK file bundled within an archive file which was most likely distributed via
spear-phishing.
We were able to identify two variants of this campaign that possibly have been distributed between May 12th and
31st:
“CV_Colliers.rar”
“Project link and New copyright policy.rar”
Both RAR archives bundle two malicious LNK files. In the newer variant (CV_Colliers.rar), the LNK files are
disguised as a Curriculum Vitae (CV) and International English Language Testing System (IELTS) exam results.
The older one (Project link and New copyright policy.rar) seems to target product teams that are using zeplin.io.
The following shows the overall process flow when executing the malicious LNK file.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1864 of 1874

LNK file
The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded
compressed payload. Here is the list of commands that will be executed:
Copy content of the LNK file into “g4ZokyumB2DC4.tmp” in %APPDATA% temp directory.
Copy content of “certutil.exe” into “gosia.exe” ( “*ertu*.exe is used to bypass security detection).
Look for the base64 blob using “findstr.exe” and write it to “cSi1rouy4.tmp”.
Decode content of “cSi1rouy4.tmp” using “gosia.exe -decode” (certutil.exe -decode) and write it to
“o423DFDS4.tmp”.
Decompress content of “o423DFDS4.tmp” in temp directory along with a decoy PDF document using
“expand.exe -F:*” (Figure 3) .
Copy “66DF3DFG.tmp” and “34fDKfSD38.js” files into “C:UsersPublicDownloads” directory.
Execute the JS file by calling Wscript.
Open the decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1865 of 1874

The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1866 of 1874

JS file
The JavaScript file performs the following commands:
Create “d3reEW.exe” in “C:UsersPublicDownloads” and store “cmd /c ipconfig” in it.
Execute the dropped “svchast.exe”.
Copy “svchhast.exe” into startup directory and rename it as “officeupdate.exe”.
Add “officeupdate.exe” to scheduled tasks.
Send a POST request to a hardcoded URL with “d3reEW.exe” as data.
svchast.exe
Svchast.exe is a small loader that loads the content of the shellcode stored in “66DF3DFG.tmp”.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1867 of 1874

In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1868 of 1874

https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1869 of 1874

Finally it calls “CreateThread” to create a thread within its memory space to make HTTPS requests to its C&C
server.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1870 of 1874

At the time of analysis, the server was down so we weren’t able to clearly identify the ultimate goal of this attack.
Chaining techniques for evasion
While most malware campaigns use a simple decoy document that typically retrieves a malware payload, more
advanced attackers will often try unconventional means to infect their victims.
We reproduced this attack in our lab using an email as the infection vector, as we surmise that victims were spear-phished. Malwarebytes (in this case the Nebula business version) stopped the LNK file execution from WinRAR
and therefore completely stopped the attack.
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1871 of 1874

IOCs
CV_Colliers.rar
df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
Project link and New copyright policy.rar
c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
Tokbox icon – Odds and Ends – iOS – Zeplin.lnk
1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
International English Language Testing System certificate.pdf.lnk
c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk
dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
Conversations – iOS – Swipe Icons – Zeplin.lnk
c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1872 of 1874

C2 domains (ipconfig exfiltration)
sixindent[.]epizy[.]com
goodhk[.]azurewebsites[.]net
zeplin[.]atwebpages[.]com
C2s used by svchast.exe
45.76.6[.]149
www.comcleanner[.]info
MITRE ATT&CK techniques
Tactic ID Name Details
Execution T1059
Command-Line
Interface
Starts CMD.EXE for
commands (WinRAR.exe,
wscript.exe) execution
T1106 Execution through API
Application
(AcroRd32.exe) launched
itself
T1053 Scheduled Task
Loads the Task Scheduler
DLL interface
(Officeupdate.exe)
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1204 User Execution
Manual execution by user
(opening LNK file)
Persistence T1060
Registry Run Keys /
Startup Folder
Writes to a start menu file
(Officeupdate.exe)
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Privilege
Escalation
T1053 Scheduled Task
Uses Task Scheduler to run
other applications
(Officeupdate.exe)
Defense
Evasion
T1064 Scripting
Executes scripts
(34fDFkfSD38.js)
T1140 Deobfuscate/Decode
Files or Information
certutil to decode Base64
binaries, expand.exe to
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1873 of 1874

decompress a CAB file
Discovery T1012 Query Registry
Reads the machine GUID
from the registry
T1082
System Information
Discovery
Reads the machine GUID
from the registry
T1016
System Network
Configuration
Discovery
Uses IPCONFIG.EXE to
discover IP address
Categories
Related articles
Source: https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
Page 1874 of 1874

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 8 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 14 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 29 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 44 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 46 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 55 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 63 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 65 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 77 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 79 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 92 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 94 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 101 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 108 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 110 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 117 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 125 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 127 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 142 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 144 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 152 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 160 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 162 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 178 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 180 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 187 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 189 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 197 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 199 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 208 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 216 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 218 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 231 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 239 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 241 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 255 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 263 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 265 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 272 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 280 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 288 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 290 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 297 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 306 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 314 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 316 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 332 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 340 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 342 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 350 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 359 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 367 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 369 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 386 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 394 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 396 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 403 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 405 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 414 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 422 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 424 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 435 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 437 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 446 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 454 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 456 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 468 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 470 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 479 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 487 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 489 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 496 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 502 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 504 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 513 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 521 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 523 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 530 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 537 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 539 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 548 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 556 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 558 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 572 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 574 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 583 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 591 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 593 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 601 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 608 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 610 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 619 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 627 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 629 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 644 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 646 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 655 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 663 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 665 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 684 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 686 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 695 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 703 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 705 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 725 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 727 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 736 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 744 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 746 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 753 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 767 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 769 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 778 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 786 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 788 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 795 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 810 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 812 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 821 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 829 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 831 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 853 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 855 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 864 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 872 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 874 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 882 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 897 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 899 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 908 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 916 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 918 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 930 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 945 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 947 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 956 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 964 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 966 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 979 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 994 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 996 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1005 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1013 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1015 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1022 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1029 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1044 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1046 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1055 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1063 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1065 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1072 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1080 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1095 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1097 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1106 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1114 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1116 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1131 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1146 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1148 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1157 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1165 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1167 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1186 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1201 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1203 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1212 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1220 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1222 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1242 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1257 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1259 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1268 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1276 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1278 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1285 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1299 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1314 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1316 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1325 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1333 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1335 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1342 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1357 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1372 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1374 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1383 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1391 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1393 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1404 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1419 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1434 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1436 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1445 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1453 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1455 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1467 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1482 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1497 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1499 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1508 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1516 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1518 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1525 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1531 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1546 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1561 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1563 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1572 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1580 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1582 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1593 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1599 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1614 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1629 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1631 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1640 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1648 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1650 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1662 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1668 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1683 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1698 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1700 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1709 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1717 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1719 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1735 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1741 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1756 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1771 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1773 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1782 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1790 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1792 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1811 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1817 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1832 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1847 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1849 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1858 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
The list of commands executed by this LNK shortcut is the same as the one reported by Anomali on the Higasia
Covid-19 campaign. The only difference is the name of the tmp files and name of certutil.exe which in this new
case is “gosia.exe”, while in the March campaign the name was “mosia.exe”.  
Both LNK files embedded within the archive are executing similar commands with the different Command and
Control (C&C) configurations. Running each of them would show a different decoy document. 
   Page 1866 of 1874   

  https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/    
In fact, this shellcode is a wrapper around the final shellcode. It performs some checks and then calls the final
shellcode.      
The final shellcode dynamically resolves the imports and allocates memory for the content that will be executed.
   Page 1868 of 1874