ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool ETUMBOT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: ETUMBOT

NamesETUMBOT
RIPTIDE
HIGHTIDE
Exploz
Specfix
CategoryMalware
TypeBackdoor
Description(FireEye) FireEye observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control (C2) server. RIPTIDE’s first communication with its C2 server fetches an encryption key, and the RC4 encryption key is used to encrypt all further communication.

In June 2014, Arbor Networks published an article describing the RIPTIDE backdoor and its C2 infrastructure in great depth. The blog highlighted that the backdoor was utilized in campaigns from March 2011 till May 2014.

Following the release of the article, FireEye observed a distinct change in RIPTIDE’s protocols and strings. We suspect this change was a direct result of the Arbor blog post in order to decrease detection of RIPTIDE by security vendors. The changes to RIPTIDE were significant enough to circumvent existing RIPTIDE detection rules. FireEye dubbed this new malware family HIGHTIDE.
Information<https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html>
<https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf>
<https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise>
MITRE ATT&CK<https://attack.mitre.org/software/S0003/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:etumbot>

Last change to this tool card: 13 May 2020

Download this tool card in JSON format

Previous: EternalRomance
Next: EvilBunny

All groups using tool ETUMBOT

ChangedNameCountryObserved

APT groups

XAPT 12, Numbered PandaChina2009-Nov 2016 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key