OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[1]

ID: S0346
Platforms: Windows
Version: 1.1
Created: 30 January 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.[1] OceanSalt has been executed via malicious macros.[1]

Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

OceanSalt can encode data with a NOT operation before sending the data to the control server.[1]

Enterprise T1083 File and Directory Discovery

OceanSalt can extract drive information from the endpoint and search files on the system.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

OceanSalt can delete files from the system.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.[1]

Enterprise T1057 Process Discovery

OceanSalt can collect the name and ID for every process running on the system.[1]

Enterprise T1082 System Information Discovery

OceanSalt can collect the computer name from the system.[1]

Enterprise T1016 System Network Configuration Discovery

OceanSalt can collect the victim’s IP address.[1]