Higaisa

[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://attack.mitre.org/groups/G0126) was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)

Techniques

Covered

Gaps

89%

Coverage

Coverage25/28

GAPS (3)

T1029Scheduled Transfer T1573.001Symmetric Cryptography T1680Local Storage Discovery

COVERED (25)

T1001.003Protocol or Service Impersonation2 det.T1016System Network Configuration Discovery35 det.T1027.001Binary Padding3 det.T1027.013Encrypted/Encoded File7 det.T1027.015Compression2 det.T1036.004Masquerade Task or Service7 det.T1041Exfiltration Over C2 Channel30 det.T1053.005Scheduled Task82 det.T1057Process Discovery18 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1059.007JavaScript58 det.T1071.001Web Protocols74 det.T1082System Information Discovery80 det.T1090.001Internal Proxy10 det.T1106Native API27 det.T1124System Time Discovery4 det.T1140Deobfuscate/Decode Files or Information55 det.T1203Exploitation for Client Execution71 det.T1204.002Malicious File397 det.T1220XSL Script Processing12 det.T1547.001Registry Run Keys / Startup Folder50 det.T1564.003Hidden Window11 det.T1566.001Spearphishing Attachment850 det.T1574.001DLL106 det.