Threat Research

Higaisa APT Resurfaces Via Phishing Website Targeting Chinese Users – Cyble

Securonix

Cyble CRIL uncovered a new Higaisa APT operation that uses a phishing site impersonating legitimate VPN software to deliver a Rust-based payload. The malware features anti-debugging, shellcode decryption, and encrypted C2 communication, with connections to additional installers that download Google Meet and Zoom. #Higaisa #OpenVPN #Cyble #GoogleMeet #Zoom #ZhiyaYunke

Keypoints

  • Cyble Research and Intelligence Labs (CRIL) discovered a new Advanced Persistent Threat (APT) campaign focusing on luring unsuspecting victims through phishing websites mimicking well-known software applications.
  • A phishing site masquerades as OpenVPN for Chinese users and serves as the host to deliver the malicious payload.
  • On execution, the installer drops a Rust-based malware (rom.exe) and runs a Shellcode, which decrypts encrypted content and proceeds to activity.
  • The Shellcode performs anti-debugging and decryption operations, then establishes encrypted Command and Control (C2) communication with a remote Threat Actor (TA).
  • The malware shares characteristics with previously observed Higaisa APT campaigns, suggesting a linkage or reuse of techniques.
  • Investigations show the C2 IP is associated with three additional installers that download Google Meet and Zoom, indicating broader, coordinated malicious activity.

MITRE Techniques

  • [T1189] Drive-by Compromise – Brief description: TAs hosting malware on websites. Quote: ‘phishing websites … mimic well-known software applications.’
  • [T1203] User Execution – Brief description: User opens the malicious software installer. Quote: ‘User opens the malicious software installer’
  • [T1574.005] Hijack Execution Flow: Executable Installer File Permissions Weakness – Brief description: TAs embedded malicious executable with legitimate software installer. Quote: ‘TAs embedded malicious executable with legitimate software installer’
  • [T1622] Debugger Evasion – Brief description: Debugger evasion via anti-debugging checks. Quote: ‘Debugger Evasion (T1622)’ and ‘implemented source code hashing to check breakpoints’
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – Brief description: Encrypted communication to C2 using AES-128. Quote: ‘Encrypted Channel: Symmetric Cryptography’ and ‘using AES 128-bit encryption to send the data to C&C’
  • [T1437.001] Application Layer Protocol: Web Protocols – Brief description: Command and control over HTTP. Quote: ‘Application Layer Protocol : Web Protocols’ and ‘Communicated with C&C server using HTTP’
  • [T1041] Exfiltration Over C2 Channel – Brief description: Data exfiltration over the C2 channel. Quote: ‘Exfiltration Over C&C Channel’

Indicators of Compromise

  • [URL] context – open-vpn.top – Download page
  • [IP] context – 43.246.209.83, and 43.246.208.0/22 network (APNIC, Hong Kong) – C2 communications
  • [MD5] Malicious installer – aec9716853a0814b3bf974314542b999, and 2 more hashes
  • [SHA1] Malicious installer – 93a5cb6925e6d7154401142478739bf82f1a7611, and 2 more hashes
  • [SHA256] Malicious installer – 2ce87c2719fa5119e6519a1c97b18a4b30ec1ec39167454c94a057831ae3ebcf, and 2 more hashes
  • [File name] Malicious executables – rom.exe, GoogleMeet.exe, and 2 more files (Zoom.exe, Pg.exe)

Read more: https://cyble.com/blog/higaisa-apt-resurfaces-via-phishing-website-targeting-chinese-users/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint