RIPTIDE

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Riptide is a form of malware, or malicious software, that was utilized by the cyber espionage group known as APT12 from October 2012 to May 2014. This proxy-aware backdoor communicates via HTTP with a hard-coded command and control (C2) server. The initial communication with the C2 server fetches an encryption key, which is then used to encrypt all subsequent communications. Riptide's attack vectors included phishing emails from valid but compromised accounts. It would drop its executable file into the C:\Documents and Settings\{user}\Application Data\Location folder on the targeted system. In response to increased detection of the Riptide malware, APT12 introduced a modified version known as Hightide. This malware variant also communicated with a C2 server over HTTP, but it differed in several ways including the location where it dropped its executable file, the image base address, the User-Agent within the GET requests, and the format of the URI. Hightide dropped its executable file into the C:\DOCUMENTS and SETTINGS\{user}\LOCAL SETTINGS\Temp\ folder. Both Riptide and Hightide were delivered to target systems through Microsoft Word (.doc) documents that exploited CVE-2012-0158. Later, APT12 developed another malware toolset called Waterspout, which like its predecessors, is an HTTP-based backdoor that communicates with a C2 server. It shares several traits with both the Riptide and Hightide campaigns, indicating a consistent evolution in APT12's cyber-attack strategies. FireEye, a cybersecurity firm, believes that the shift from Riptide to Hightide and subsequently to Waterspout represents a strategic move to decrease malware detection while continuing to develop new tools for cyber espionage.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Hightide
1
Hightide is a malware family discovered by FireEye, first observed on August 24, 2014, when it was used in a spear-phishing email sent to a Taiwanese government ministry. The Hightide backdoor was dropped via an exploit document with specific properties including MD5 hash of 6e59861931fa2796ee107dc2
Waterspout
1
Waterspout is a newly discovered malware, sharing traits with other malicious software such as RIPTIDE, HIGHTIDE, and THREEBYTE. It is an HTTP-based backdoor that communicates with its command and control (C2) server, infecting systems through phishing emails sent from valid but compromised accounts
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Phishing
Exploit
Proxy
Fireeye
Encryption
Encrypt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT12Unspecified
1
APT12, also known as Calc Team, is a cyber espionage group believed to be connected to the Chinese People's Liberation Army. The group primarily targets journalists, government entities, and the defense industrial base. Their preferred method of attack is phishing emails sent from legitimate but com
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2012-0158Unspecified
1
CVE-2012-0158 is a significant vulnerability in the software design and implementation of Microsoft Office, specifically related to the parsing of Rich-text-format (.rtf) files. This flaw was first exploited in spear-phishing attacks where emails contained three different attachments, each exploitin
Source Document References
Information about the RIPTIDE Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
General Stephen Townsend Joins Phoenix Defense Board
MITRE
a year ago
Darwin’s Favorite APT Group | Mandiant
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups