OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[1]

ID: S0346
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceOceanSalt can create a reverse shell on the infected endpoint using cmd.exe.[1]
EnterpriseT1043Commonly Used PortOceanSalt uses Port Number 8080 for C2.[1]
EnterpriseT1132Data EncodingOceanSalt can encode data with a NOT operation before sending the data to the control server.[1]
EnterpriseT1083File and Directory DiscoveryOceanSalt can extract drive information from the endpoint and search files on the system.[1]
EnterpriseT1107File DeletionOceanSalt can delete files from the system.[1]
EnterpriseT1057Process DiscoveryOceanSalt can collect the name and ID for every process running on the system.[1]
EnterpriseT1064ScriptingOceanSalt has been executed via malicious macros.[1]
EnterpriseT1193Spearphishing AttachmentOceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.[1]
EnterpriseT1082System Information DiscoveryOceanSalt can collect the computer name from the system.[1]
EnterpriseT1016System Network Configuration DiscoveryOceanSalt can collect the victim’s IP address.[1]