OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.[1] OceanSalt has been executed via malicious macros.[1] |
Enterprise | T1132 | .002 | Data Encoding: Non-Standard Encoding |
OceanSalt can encode data with a NOT operation before sending the data to the control server.[1] |
Enterprise | T1083 | File and Directory Discovery |
OceanSalt can extract drive information from the endpoint and search files on the system.[1] |
|
Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.[1] |
Enterprise | T1057 | Process Discovery |
OceanSalt can collect the name and ID for every process running on the system.[1] |
|
Enterprise | T1082 | System Information Discovery | ||
Enterprise | T1016 | System Network Configuration Discovery |