RIPTIDE

Riptide is a form of malware, or malicious software, that was utilized by the cyber espionage group known as APT12 from October 2012 to May 2014. This proxy-aware backdoor communicates via HTTP with a hard-coded command and control (C2) server. The initial communication with the C2 server fetches an encryption key, which is then used to encrypt all subsequent communications. Riptide's attack vectors included phishing emails from valid but compromised accounts. It would drop its executable file into the C:\Documents and Settings\{user}\Application Data\Location folder on the targeted system. In response to increased detection of the Riptide malware, APT12 introduced a modified version known as Hightide. This malware variant also communicated with a C2 server over HTTP, but it differed in several ways including the location where it dropped its executable file, the image base address, the User-Agent within the GET requests, and the format of the URI. Hightide dropped its executable file into the C:\DOCUMENTS and SETTINGS\{user}\LOCAL SETTINGS\Temp\ folder. Both Riptide and Hightide were delivered to target systems through Microsoft Word (.doc) documents that exploited CVE-2012-0158. Later, APT12 developed another malware toolset called Waterspout, which like its predecessors, is an HTTP-based backdoor that communicates with a C2 server. It shares several traits with both the Riptide and Hightide campaigns, indicating a consistent evolution in APT12's cyber-attack strategies. FireEye, a cybersecurity firm, believes that the shift from Riptide to Hightide and subsequently to Waterspout represents a strategic move to decrease malware detection while continuing to develop new tools for cyber espionage.