Hightide

Hightide is a malware family discovered by FireEye, first observed on August 24, 2014, when it was used in a spear-phishing email sent to a Taiwanese government ministry. The Hightide backdoor was dropped via an exploit document with specific properties including MD5 hash of 6e59861931fa2796ee107dc27bfdd480 and size of 75264 bytes. It connected directly to IP address 141.108.2.157 and was written to the same filepath as the Threebyte backdoor (C:\DOCUMENTS and SETTINGS\{user}\LOCAL SETTINGS\Temp\word.exe). This malicious software was associated with APT12, a cyber-espionage group known for its sophisticated attacks. The Hightide campaign shared several traits with the Riptide and Waterspout campaigns, both attributed to APT12. Notably, like Riptide and Hightide, the Waterspout backdoor was also HTTP-based and communicated with its C2 server. The transition from Riptide to Hightide represented a temporary shift to decrease malware detection while APT12 developed a new toolset. Moreover, FireEye reported that after the release of the Arbor blog post, APT12 modified the Riptide backdoor into what is now known as Hightide. FireEye's research revealed that between August 22 and 28, APT12 targeted multiple Taiwanese government organizations using the Hightide malware. The company also observed Hightide at various Taiwan-based organizations and the suspected APT12 Waterspout backdoor at a Japan-based electronics company. Despite these observations not definitively tying Waterspout to APT12, they indicate a possible connection between the Waterspout, Threebyte, and Hightide campaigns.