Higaisa

[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://attack.mitre.org/groups/G0126) was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)

Techniques

Covered

Gaps

89%

Coverage

Coverage25/28

GAPS (3)

T1029Scheduled Transfer T1573.001Symmetric Cryptography T1680Local Storage Discovery

COVERED (25)

T1001.003Protocol or Service Impersonation2 det.T1016System Network Configuration Discovery39 det.T1027.001Binary Padding3 det.T1027.013Encrypted/Encoded File8 det.T1027.015Compression2 det.T1036.004Masquerade Task or Service7 det.T1041Exfiltration Over C2 Channel31 det.T1053.005Scheduled Task99 det.T1057Process Discovery20 det.T1059.003Windows Command Shell82 det.T1059.005Visual Basic68 det.T1059.007JavaScript61 det.T1071.001Web Protocols80 det.T1082System Information Discovery86 det.T1090.001Internal Proxy10 det.T1106Native API29 det.T1124System Time Discovery4 det.T1140Deobfuscate/Decode Files or Information58 det.T1203Exploitation for Client Execution75 det.T1204.002Malicious File425 det.T1220XSL Script Processing12 det.T1547.001Registry Run Keys / Startup Folder53 det.T1564.003Hidden Window11 det.T1566.001Spearphishing Attachment905 det.T1574.001DLL109 det.