1. Home
  2. Software
  3. Seasalt

Seasalt

Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities with OceanSalt.[1][2]

ID: S0345
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 30 January 2019
Last Modified: 11 April 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Seasalt uses HTTP for C2 communications.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Seasalt creates a Registry entry to ensure infection after reboot under HKLM\Software\Microsoft\Windows\currentVersion\Run.[2]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.[1]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Seasalt is capable of installing itself as a service.[1]
Enterprise T1083 File and Directory Discovery

Seasalt has the capability to identify the drive type on a victim.[2]
Enterprise T1070 .004 Indicator Removal: File Deletion

Seasalt has a command to delete a specified file.[1]
Enterprise T1105 Ingress Tool Transfer

Seasalt has a command to download additional files.[1][1]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Seasalt has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" in an apparent attempt to masquerade as a legitimate service.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Seasalt obfuscates configuration data.[1]
Enterprise T1057 Process Discovery

Seasalt has a command to perform a process listing.[1]

Groups That Use This Software

ID Name References
G0006 APT1

[1][2]

References

  1. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  1. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.