Higaisa Hacker Targets Chinese Users with Deceptive OpenVPN Clone

Cybersecurity researchers at Cyble have issued warnings about a fresh wave of attacks targeting Chinese internet users, orchestrated by the hacker collective known as Higaisa. Evidently, these malefactors have constructed a phishing site that bears a striking resemblance to the legitimate VPN service, OpenVPN. Within this deceptive site, they’ve embedded a malicious installer cloaked as authentic software.

Fake OpenVPN website | Image Credit: Cyble

During their investigation, Cyble’s experts unveiled several additional malicious files, cunningly disguised as installers for renowned applications like Zoom and Google Meet. The malicious installers employed in these attacks are scripted in the Rust programming language and act as backdoor programs. Once executed, the backdoor undertakes a sequence of operations to decrypt and trigger a shell code, which subsequently establishes an encrypted link to the hackers’ remote command server. This grants the assailants unfettered control over the infected device.

Notably, the tactics employed by the hackers bear significant parallels to previous stratagems of the Higaisa faction, suggesting with a high degree of certainty that this group is behind the new wave of assaults.

Higaisa is a hacking consortium, presumably based in South Korea, with activities known to researchers since 2016. Their repertoire includes the deployment of trojans like Gh0st and PlugX, as well as malevolent mobile device applications. Higaisa predominantly targets governmental institutions, human rights organizations, and other associations linked with North Korea. Yet, their ambitions aren’t confined solely to the DPRK, as evidenced by their assaults on Chinese users.

To safeguard against such invasions, experts advocate extreme caution when downloading software online—recommending sourcing only from reputable platforms and ensuring connection security. It’s paramount to employ antivirus solutions, consistently update software, and maintain data backups.

Furthermore, it’s imperative to utilize robust passwords and two-factor authentication for all accounts, ensuring data security even if a device is compromised.