The Korean threat actor Higaisa, has been using malicious LNK files in recent attacks aimed at organizations that use the Zeplin collaboration platform.
The group is believed to be a nation-state actor that has been active since at least 2016, but remained under the radar since 2019. The arsenal of the group includes common RAT such as Gh0st and PlugX that were employed in attacks against government officials and human rights organizations.
In the past weeks, the threat actors employed malicious shortcut (LNK) files in a series of multi-stage attacks.
“In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.” reads the analysis published by MalwareBytes.
Threat actors distributed the LNK file bundled in an archive via spear-phishing messages. Experts identified two variants of the attack between May 12 and May 31, using the “Project link and New copyright policy.rar” and “CV_Colliers.rar” archive files, respectively.
The Project link and New copyright policy.rar were involved in attacks against organizations using zeplin.io.
Upon running the LNK file, the list of commands that it includes will be executed.
The attack was likely planned early of May, the malicious LNK file was created on May 11 when victims started receiving the malicious RAR file. The “Project link and New copyright policy.rar” archive was submitted to VirusTotal on May 12.
Another attack was observed on May 30, in this case attackers used a weaponized curriculum vitae (CV) impersonating a college student named “Wang Lei” from Hong Kong.
Malwarebytes too observed the attacks, explaining that the LNK files in this campaign were designed to execute the same commands that were detailed by Anomali in a report describing COVID-19 attacks in March.
All of the attacks appear associated with Higaisa and show the threat actor’s ability to tailor its attacks based on current events: the hackers started leveraging not only the increased interest in the COVID-19 crisis, but also the increased adoption of collaboration tools to facilitate working from home (WFH) during the pandemic.
“By analyzing individual elements of this campaign, we noted a number of correlations to prior threat actor reporting. […] Based upon the totality of available information, we assess with high confidence that this campaign was performed by the same actors responsible for the Coronavirus, Covid-19, themed campaign in March,” Prevailion’s researchers say.
Based on Google trends, Prevailion discovered that the Zeplin app that was targeted in early May was of interest in the United States, United Kingdom, and India, which could be a possible hint at the targeted entities.
Additional technical details, including Indicators of Compromise (IoCs), are reported in the analysis published by MalwareBytes.
(SecurityAffairs – Higaisa, hacking)