Hightide

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Hightide is a malware family discovered by FireEye, first observed on August 24, 2014, when it was used in a spear-phishing email sent to a Taiwanese government ministry. The Hightide backdoor was dropped via an exploit document with specific properties including MD5 hash of 6e59861931fa2796ee107dc27bfdd480 and size of 75264 bytes. It connected directly to IP address 141.108.2.157 and was written to the same filepath as the Threebyte backdoor (C:\DOCUMENTS and SETTINGS\{user}\LOCAL SETTINGS\Temp\word.exe). This malicious software was associated with APT12, a cyber-espionage group known for its sophisticated attacks. The Hightide campaign shared several traits with the Riptide and Waterspout campaigns, both attributed to APT12. Notably, like Riptide and Hightide, the Waterspout backdoor was also HTTP-based and communicated with its C2 server. The transition from Riptide to Hightide represented a temporary shift to decrease malware detection while APT12 developed a new toolset. Moreover, FireEye reported that after the release of the Arbor blog post, APT12 modified the Riptide backdoor into what is now known as Hightide. FireEye's research revealed that between August 22 and 28, APT12 targeted multiple Taiwanese government organizations using the Hightide malware. The company also observed Hightide at various Taiwan-based organizations and the suspected APT12 Waterspout backdoor at a Japan-based electronics company. Despite these observations not definitively tying Waterspout to APT12, they indicate a possible connection between the Waterspout, Threebyte, and Hightide campaigns.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
RIPTIDE
1
Riptide is a form of malware, or malicious software, that was utilized by the cyber espionage group known as APT12 from October 2012 to May 2014. This proxy-aware backdoor communicates via HTTP with a hard-coded command and control (C2) server. The initial communication with the C2 server fetches an
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Exploit
Phishing
Spearphishing
Beacon
Fireeye
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WaterspoutUnspecified
1
Waterspout is a newly discovered malware, sharing traits with other malicious software such as RIPTIDE, HIGHTIDE, and THREEBYTE. It is an HTTP-based backdoor that communicates with its command and control (C2) server, infecting systems through phishing emails sent from valid but compromised accounts
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT12Unspecified
1
APT12, also known as Calc Team, is a cyber espionage group believed to be connected to the Chinese People's Liberation Army. The group primarily targets journalists, government entities, and the defense industrial base. Their preferred method of attack is phishing emails sent from legitimate but com
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2012-0158Unspecified
1
CVE-2012-0158 is a significant vulnerability in the software design and implementation of Microsoft Office, specifically related to the parsing of Rich-text-format (.rtf) files. This flaw was first exploited in spear-phishing attacks where emails contained three different attachments, each exploitin
Source Document References
Information about the Hightide Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Darwin’s Favorite APT Group | Mandiant