Home Malware Programs Backdoors TidePool

TidePool

Posted: July 26, 2019

TidePool is a family of Remote Access Trojans or RATs that can provide attackers with access to your system for collecting data or other purposes. This threat is a tool specific to APT15, which is believed to be operating from China and targets diplomatic entities throughout Asia and Europe. Users should monitor their e-mail messages for phishing attacks and use robust anti-malware solutions for deleting TidePool immediately, in all cases.

Watching the Rising Tide of Backdoor Attacks

APT15, AKA Playful Dragon or Vixen Panda, is a case study for how a well-stocked threat actor can avoid detection despite years of activity. Among the various utilities in use by this likely-Chinese group are multiple backdoor Trojans and RATs. Tidepool, which is shaping up as the replacement for BS2005, is relevant especially.

TidePool is a Remote Access Trojan that gives hackers abilities including downloading and uploading files, along with issuing system commands. It remains persistent through reboots and is an equally potent tool for helping criminals traverse a network or isolate and exfiltrate information. While these characteristics are somewhat generic, a closer look at TidePool's code shows similarities with the BS2005 RAT, which makes its connection to APT15 unmistakable.

TidePool and BS2005 both contact a C&C server as part of their initial setup and transfer over environmental information, such as the system's service pack number. However, they share highly-similar techniques for obfuscating this server communication, as well as Base64 string handling. Even more tellingly than that, TidePool also recycles BS2005's Registry-based exploit for disabling Internet Explorer's Enhanced Security, which would block VM, scripts, and downloads.

The implementation of this last trait is semi-unique to Trojans that APT15 deploys, which leaves few to no doubts as to TidePool's origin.

Turning TidePool's Family into a Receding Wave

APT15's deployment of RATs and backdoor Trojans emphasizes software that's unique to them. Besides the TidePool family and its ancestor, the group uses threats like RoyalDNS, Okrum, and Ketrican, all of which are backdoor-capable to various degrees. On the other hand, the deployment strategies depend on predictable techniques that are traditional among state-sponsored espionage campaigns.

Workers placed in diplomatic entities and other targets of interest to APT15 can expect potential infection vectors arriving over e-mail. These messages will, usually, carry contents crafted for the recipient, including not just topical messages and attachments, but spoofed sender addresses. Since these hackers use sometimes-creative methods of evading detection, as their history demonstrates, users should update any anti-malware services for maximizing their threat-detecting potential.

The use of updated anti-malware products remains preferable for uninstalling TidePool, in emergencies, although it's not likely of being the only threat present on any compromised PC.

Between their attacks in Slovakia, India, and elsewhere, APT15 shows that they have plenty of experience in developing, maintaining, and deploying Trojans with backdoor features for spying. Whether or not the next campaign from them uses TidePool or something else entirely, is a question that's open to being answered by any unlucky embassy.

Loading...