Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities with OceanSalt.[1][2]

ID: S0345
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceSeasalt uses cmd.exe to create a reverse shell on the infected endpoint.[1]
EnterpriseT1094Custom Command and Control ProtocolSeasalt uses a custom binary protocol for C2.[1]
EnterpriseT1083File and Directory DiscoverySeasalt has the capability to identify the drive type on a victim.[2]
EnterpriseT1107File DeletionSeasalt has a command to delete a specified file.[1]
EnterpriseT1036MasqueradingSeasalt has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" in an apparent attempt to masquerade as a legitimate service.[1]
EnterpriseT1050New ServiceSeasalt is capable of installing itself as a service.[1]
EnterpriseT1027Obfuscated Files or InformationSeasalt obfuscates configuration data.[1]
EnterpriseT1057Process DiscoverySeasalt has a command to perform a process listing.[1]
EnterpriseT1060Registry Run Keys / Startup FolderSeasalt creates a Registry entry to ensure infection after reboot under HKLM\Software\Microsoft\Windows\currentVersion\Run.[2]
EnterpriseT1105Remote File CopySeasalt has a command to download additional files.[1][1]
EnterpriseT1071Standard Application Layer ProtocolSeasalt uses HTTP for C2 communications.[1]


Groups that use this software: