By CagedTech in Backdoors

TidePool is the name of a family of malware tools, exhibiting traits that are commonly found in Remote Access Tools (RATs). Remote Access Tools allow a wide range of threatening activities to be performed on the targeted machine, including read and write access to files, as well as executing commands on the victim's system.

TidePool is usually contained in an infected MHTML file - essentially a richer format that allows an whole Web page to be stored in a single file. TidePool exploits the so-called MS Office Malformed ESP file vulnerability. The malware drops a DLL file in C:\Documents and Setting\AllUsers\IEHelper\mshtml.dll, then secures persistence. The next step is to send information about the victim's system to the Command and Control server of the bad actors. Once this connection has been established, the TidePool malware behaves like a regular Remote Access Tool, executing whatever commands the bad actor on the other end feeds it.

Researchers also discovered certain Registry changes that TidePool makes and shares with members of the BS2005 malware family - another threatening tool used by the bad actors of the Chinese Ke3chang group, the same people who also were behind attacks using TidePool. This indicates that TidePool is likely an evolved version of the BS2005 malware. One important Registry change was swapping the value of "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEHarden" to zero. This disables Internet Explorer's enhanced security configuration, allowing for a large number of potentially harmful components and code to execute through the browser. Those findings were made by researchers working with Unit 42 of Palo Alto Networks.

Despite the decrease in usage of Internet Explorer over the past few years, staying safe from threats like TidePool involves an extra layer of protection usually, such as using a dedicated anti-malware suite that is kept up to date and is always active.


Most Viewed