The notorious Chinese state-sponsored hacking group APT12, which was said last year to have infiltrated the New York Times among other targets, has retooled for a new attack campaign against Japanese and Taiwanese organizations, according to FireEye.
The security firm claimed that the group “has been forced to evolve and adapt” in order to avoid detection and continue its espionage operations.
Between October 2012 and May 2014, APT12 used Riptide, a “proxy-aware backdoor,” to send communications between a victim machine and C&C server.
However, after the publication of an article by Arbor Networks detailing the backdoor, FireEye said it noticed a significant change in the malware’s “protocol and strings” in order to circumvent detection.
The resulting new malware family, dubbed 'Hightide' by FireEye, was seen in a spear-phishing email sent on August 24 to a Taiwanese government ministry.
“Similar to Riptide campaigns, APT12 infects target systems with Hightide using a Microsoft Word (.doc) document that exploits CVE-2012-0158,” the vendor said in a blog post.
“FireEye observed APT12 deliver these exploit documents via phishing emails in multiple cases. Based on past APT12 activity, we expect the threat group to continue to utilize phishing as a malware delivery method.”
The security vendor also observed two other malware samples – Waterspout and Threebyte – which it believes could be linked to APT12 as they both arrive disguised as a malicious Microsoft Word document, write to the same filepath and exploit the same vulnerability - CVE-2012-0158 – as Riptide and Hightide.
“FireEye believes the change from Riptide to Hightide represents a temporary tool shift to decrease malware detection while APT12 developed a completely new malware toolset. These development efforts may have resulted in the emergence of the Waterspout backdoor,” it added.
“Though public disclosures resulted in APT12 adaptations, FireEye observed only a brief pause in APT12 activity before the threat actors returned to normal activity levels.”
APT12 went quiet after it was outed by FireEye company Mandiant in January 2013 for the New York Times attacks, but was spotted again in August of the same year mounting fresh assaults with “new and improved” malware versions.