Register to stream ATT&CKcon 2.0 October 29-30


OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[1]

ID: S0346
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface OceanSalt can create a reverse shell on the infected endpoint using cmd.exe. [1]
Enterprise T1043 Commonly Used Port OceanSalt uses Port Number 8080 for C2. [1]
Enterprise T1132 Data Encoding OceanSalt can encode data with a NOT operation before sending the data to the control server. [1]
Enterprise T1083 File and Directory Discovery OceanSalt can extract drive information from the endpoint and search files on the system. [1]
Enterprise T1107 File Deletion OceanSalt can delete files from the system. [1]
Enterprise T1057 Process Discovery OceanSalt can collect the name and ID for every process running on the system. [1]
Enterprise T1064 Scripting OceanSalt has been executed via malicious macros. [1]
Enterprise T1193 Spearphishing Attachment OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments. [1]
Enterprise T1082 System Information Discovery OceanSalt can collect the computer name from the system. [1]
Enterprise T1016 System Network Configuration Discovery OceanSalt can collect the victim’s IP address. [1]