Waterspout

Waterspout is a newly discovered malware, sharing traits with other malicious software such as RIPTIDE, HIGHTIDE, and THREEBYTE. It is an HTTP-based backdoor that communicates with its command and control (C2) server, infecting systems through phishing emails sent from valid but compromised accounts. While it has not been definitively linked to APT12, a known advanced persistent threat group, there are indicators suggesting a potential connection. These include similarities in attack vectors and the shared use of exploit documents delivered via phishing emails. The Waterspout campaign was first observed on August 25, 2014, when spear phishing emails targeted a high-technology company in Japan. The malware shares several characteristics with the campaigns run by APT12, which also targeted organizations in Taiwan and Japan. Most notably, FireEye found evidence of the HIGHTIDE malware at multiple Taiwan-based organizations and the suspected APT12 Waterspout backdoor at a Japan-based electronics company. This suggests possible coordination or shared development efforts between these campaigns. Despite these connections, the threat actors behind the Waterspout campaign have not been positively identified. While there are no current infrastructure ties directly linking this backdoor to APT12, several data points suggest a possible connection. These include the same initial delivery method (spear phishing email) with a Microsoft Word Document exploiting CVE-2012-0158, a common vulnerability and exposure. As such, further investigation is required to conclusively determine the origins and full impact of the Waterspout malware.