Higaisa, APT, China, Phishing

Higaisa APT Resurfaces via Phishing Website targeting Chinese Users

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) has discovered a new Advanced Persistent Threat (APT) campaign focusing on luring unsuspecting victims through phishing websites mimicking well-known software applications.
  • In this campaign, a phishing website was observed masquerading as OpenVPN software tailored for Chinese users and serves as a host to deliver the malicious payload.
  • Once executed, the installer drops and runs Rust-based malware on the system, subsequently triggering a Shellcode.
  • The Shellcode performs anti-debugging and decryption operations. Afterward, it establishes encrypted Command and Control (C&C) communication with a remote Threat Actor (TA).
  • Surprisingly, the characteristics of this malware bear similarities to those previously employed by the Higaisa APT group in their past campaigns.
  • Further investigation revealed that the C&C IP was associated with three additional malicious installers responsible for downloading Google Meet and Zoom, indicating a broader and coordinated malicious effort.


Cyble Research and Intelligence Labs (CRIL) discovered a phishing website named “open-vpn[.]top” on October 16th. This deceptive site is designed to imitate the legitimate OpenVPN website. It is suspected to be associated with a new campaign initiated by an Advanced Persistent Threat (APT) group called Higaisa.

Higaisa APT is believed to have South Korean origins and was initially disclosed by Tencent Security Threat Intelligence Center in early 2019. The group’s malicious activities can be traced back to at least 2016, involving the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Their targets encompass government officials, human rights organizations, and other entities associated with North Korea.

Phishing websites are frequently utilized by Threat Actors (TAs) as their primary method for distributing malware. These TAs frequently employ brand impersonation in their phishing campaigns, adeptly tricking users into a false sense of trust and legitimacy, ultimately enticing unsuspecting individuals. Given the widespread use of VPNs by individuals to overcome online censorship, it is conceivable that these TAs are specifically targeting those seeking to evade such restrictions. The image below depicts the fraudulent OpenVPN website.

Phishing, Higaisa, OpenVPN
Figure 1 – Fake OpenVPN website

The website hosted a malicious OpenVPN installer file, which is bundled with a genuine OpenVPN executable and a malicious Rust-based executable. Notably, the Rust-based executable has a valid digital signature. This digital signature is attributed to the Chinese organization “Zhiya Yunke (Chengdu) Finance and Tax Service Co., Ltd.,” as shown below.

Malware, Digital Signature
Figure 2 – Valid Digital Signature of the Malware File

CRIL investigated further to identify any resemblances to previous campaigns. During this analysis, we discovered that Malwarebytes had previously identified a campaign where the initial infection was initiated through LNK files. Additionally, Zscaler published an in-depth analysis of the final payload used in that campaign.

Technical Analysis

We have obtained a file named “OpenVPN.exe” from the phishing website. This file is a 32-bit Graphical User Interface-based executable.

Upon execution of the file, it initiates a prompt for the user to choose their desired language, as shown in the figure below. It displays an installation wizard to proceed with the installation process.

Figure 3 – Open VPN Installer

During the installation, the installer drops several files in the “C:\Program Files (x86)\OpenVPN” directory. These files consist of the genuine OpenVPN MSI installer (openvpn.msi), two legitimate runtime DLLs (vcruntime140.dll & vcruntime140Org.dll), and an additional malicious 64-bit console-based executable file written in the Rust programming language named “rom.exe,” which is a shellcode runner. Then, the installer file executes the malicious “rom.exe” file.

The figure below shows the files dropped by the OpenVPN executable.

Higaisa, OpenVPN
Figure 4 – Malware Dropped in the Program File (x86)

When “rom.exe” is executed, the malware employs Windows APIs such as FindResource(), LoadResource(), and SizeofResource() to search for encrypted content stored within the executable’s resource section. Subsequently, it decrypts this content, which is a Shellcode and proceeds to execute it. The figure below shows the malware locating and executing the Shellcode.

Figure 5 – Routine to Load and Execute the Shellcode

Upon execution, the Shellcode conducts an anti-debugging check by calculating a 32-bit hash of the current code section and subsequently comparing it to the original 32-bit hash of the code section. This check is designed to detect debugging attempts. When a debugger is in use, and a breakpoint is added, the debugger inserts the opcode “0xCC” at the location where the original opcode existed. This alteration to the opcode disrupts the original hash of the code section. If the hash does not match, the Shellcode terminates itself. The figure below shows the hash comparison.

Anti-debugging, File hash, Higaisa
Figure 6 – Hash Comparison for Anti Debugging

Subsequent to performing the anti-debugging operation, the malware proceeds secondary decryption of the Shellcode using a 16-byte XOR key and executes it, as shown in the figure below.

Shellcode Decryption
Figure 7 – Shellcode Decryption

After decryption, it creates a new thread with the purpose of generating a cryptographic session key. This key is intended to be sent to the C&C server to establish a secure communication channel.

To generate the session key, the Shellcode initially utilizes the API function UUIDCreate(), which generates a 16-byte UUID (Universally Unique Identifier). This UUID will then be used for creating an AES encryption key. The code responsible for creating this UUID is depicted in the figure below.

Figure 8 – Routine to Create the UUID Code

After generating the initial UUID, it proceeds to create an additional UUID. The last byte of the newly created UUID is typically used to generate a byte that will be used to compute a 32-bit hash using ROR and ADD-based instructions. This process is similar to the process used by shell code to compute hash at the time of anti-debugging operation. This hash is then passed to the CryptBinaryToStringA() API function for the purpose of generating Base64 encoded data using the second UUID, as shown in the figure below.

File hash, Base64
Figure 9 – Shellcode Creating Hash and Converting to Base64

The Shellcode employs the Windows Crypto API CryptCreateHash() to generate an MD5 hash using the first UUID. Subsequently, the Shellcode proceeds to create a second MD5 hash, this time of the previously generated hash. The figure below shows the routine for creating these hashes.

MD5 Hash, Higaisa
Figure 10 – Routine to Create MD5 Hash

Once the hashes are generated, the Shellcode proceeds to create a 128-bit AES encryption key using the CryptDeriveKey() function. The figure below shows the routine involved in creating this 128-bit AES key.

AES Key, Encryption
Figure 11 – AES Key Encryption Key Generation

The newly generated AES key is employed to enable encrypted communication with the C&C server. To establish a secure connection with the C&C server, the Shellcode utilizes a socket.

Following the key initialization, the Shellcode initiates another thread, within which it establishes a socket connection and verifies the internet connectivity. To determine internet availability, the Shellcode evaluates connections to a predefined list of websites. If any of these websites can be reached, the Shellcode proceeds with additional operations. The figure below shows the routine containing hardcoded URLs.

Hardcoded URLs, Higaisa
Figure 12 – Hardcoded URLs

Network Communication

Following an internet connectivity check, the Shellcode initiates communication with the C&C server. To facilitate this communication, the Shellcode spawns additional threads. Specifically, it creates two additional threads that collaborate to manage the commands exchanged between the backdoor and the C&C server.

The Shellcode creates a dispatch thread to handle the commands posted by the worker thread. The function of the dispatch thread is to create a message queue leveraging the PeekMessageW() API. Then, the worker thread proceeds to send the message ID alongside the command buffer to the message queue using the PostThreadMessageW() API.

Once the dispatch thread receives a message from the worker thread, the message is then retrieved with the help of the GetMessageW() API.

Based on the ID of the messages received, the command handler will accordingly receive the message. The figure below shows the dispatch thread.

Figure 13 – Shellcode Dispatching Thread  

The shellcode is communicating to the IP 43.246.209[.]83 whose details are mentioned below:

Autonomous System Number132883
Autonomous System LabelTOPWAY GLOBAL LIMITED
Regional Internet RegistryAPNIC

Upon establishing a successful connection with the C&C server, the attacker gains the ability to take control of the victim’s machine, perform malicious activities, and deploy additional malware, such as ransomware and others.

CRIL also noticed three additional files engaged in communication with the C&C server, masquerading as GoogleMeet and ZoomInstaller.


TAs often hide their malware payloads within genuine software installer files for various strategic reasons. This approach leverages the trust users have in legitimate software, increasing the likelihood of users willingly executing these files – believing them to be secure. Moreover, genuine software installers are frequently distributed through widely recognized channels, diminishing suspicion and boosting the chances of successful infiltration.

In this case, TAs are concealing a shellcode runner within the legitimate OpenVPN software application. The analyzed Shellcode displays a high level of sophistication and presents a significant danger to unsuspecting users, largely due to the fact that the associated files possess valid digital signatures. This attribute significantly reduces the likelihood of detection at the time of writing this blog.

Moreover, the manual nature of the malware’s operation suggests that the TAs are carefully selecting their targets for more precise and specific operations. This underscores the importance of user vigilance in light of the potential for further such attacks. Users should remain alert to the possibility of similar threats in the future.

Our Recommendations 

  • The initial infiltration is taking place via phishing websites. It is crucial to only download and install software applications from well-known and trusted sources.
  • Users should confirm the legitimacy of websites by verifying the presence of a secure connection (https://) and ensuring the accurate spelling of domain names.
  • Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
  • Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
  • Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Initial Access (TA0001)Drive-by Compromise  (T1189)TAs hosting malware on websites
Execution  (TA0002)User Execution (T1203)User opens the malicious software installer
Privilege Escalation (TA0004)Hijack Execution Flow: Executable Installer File Permissions Weakness (T1574.005)TAs embedded malicious executable with legitimate software installer
Defense Evasion (TA0005)Debugger Evasion (T1622)TAs implemented source code hashing to check breakpoints
Command and Control (TA0011)Encrypted Channel: Symmetric Cryptography (T1573.001)TAs using AES 128-bit encryption to send the data to C&C
Command and Control (TA0011)Application Layer Protocol : Web Protocols (T1437.001)Communicated with C&C server using HTTP
Exfiltration (TA0010)Exfiltration Over C2 Channel (T1041)Exfiltration Over C&C Channel

Indicators of Compromise (IOCs) 

Indicators Indicator Type Details 
open-vpn[.]topURLDownload page
Malicious installer
fb08395645ba9da02224101ad25e06d3 b620fdd9ae29303d3e6eab359deeec6f09ffb888 d329431aa23dba73214d1c104d01d57653fc59989a915337d1f92e6c7b56ac13MD5
d0b94b242e23327e81b5a0b50b4a5171 79d35375f8bfb168c07c7c7fe235dee4e086e6cd ff1221e79f2b3c563ccb8345cf833001a276932b3ec7d10c9f0bc9c362af1a8fMD5
1e76771744ba85ae91d35756dd3d5ebd 54228718bddb9c282abbdbf726c99a3da83c5d0d 9c426d8f9cf933ec604757617660b80e6dce884ac13ac29c28f50262f9695795MD5
8bbe41fd86dab09e06ce461b2ab13caa 0c694e57d3ac3ad608b69d50084e0e82952cd1d7 330863846998cf8f5c61f21a73a83fb54669074dcdcb4411e8d5cb0a7894efe4MD5


rule Higasia_APT



        author = “Cyble”

        description = “Detects Higasia Loader”

        date = “2023-10-26”

        os = “Windows”

        scan_type = “file”

        severity = 90

        reference_sample = “d329431aa23dba73214d1c104d01d57653fc59989a915337d1f92e6c7b56ac13”


        $a = “MECHREVO”

        $b = “\\shellcode_runner.pdb”

        $c = “shellcode_runner\\”


        uint16(0) == 0x5a4d and all of them



Scroll to Top