Hightide

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Hightide is a malware family discovered by FireEye, first observed on August 24, 2014, when it was used in a spear-phishing email sent to a Taiwanese government ministry. The Hightide backdoor was dropped via an exploit document with specific properties including MD5 hash of 6e59861931fa2796ee107dc27bfdd480 and size of 75264 bytes. It connected directly to IP address 141.108.2.157 and was written to the same filepath as the Threebyte backdoor (C:\DOCUMENTS and SETTINGS\{user}\LOCAL SETTINGS\Temp\word.exe). This malicious software was associated with APT12, a cyber-espionage group known for its sophisticated attacks. The Hightide campaign shared several traits with the Riptide and Waterspout campaigns, both attributed to APT12. Notably, like Riptide and Hightide, the Waterspout backdoor was also HTTP-based and communicated with its C2 server. The transition from Riptide to Hightide represented a temporary shift to decrease malware detection while APT12 developed a new toolset. Moreover, FireEye reported that after the release of the Arbor blog post, APT12 modified the Riptide backdoor into what is now known as Hightide. FireEye's research revealed that between August 22 and 28, APT12 targeted multiple Taiwanese government organizations using the Hightide malware. The company also observed Hightide at various Taiwan-based organizations and the suspected APT12 Waterspout backdoor at a Japan-based electronics company. Despite these observations not definitively tying Waterspout to APT12, they indicate a possible connection between the Waterspout, Threebyte, and Hightide campaigns.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Hightide Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Darwin’s Favorite APT Group | Mandiant