OceanSalt

OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[1]

ID: S0346
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.[1]

Enterprise T1043 Commonly Used Port

OceanSalt uses Port Number 8080 for C2.[1]

Enterprise T1132 Data Encoding

OceanSalt can encode data with a NOT operation before sending the data to the control server.[1]

Enterprise T1083 File and Directory Discovery

OceanSalt can extract drive information from the endpoint and search files on the system.[1]

Enterprise T1107 File Deletion

OceanSalt can delete files from the system.[1]

Enterprise T1057 Process Discovery

OceanSalt can collect the name and ID for every process running on the system.[1]

Enterprise T1064 Scripting

OceanSalt has been executed via malicious macros.[1]

Enterprise T1193 Spearphishing Attachment

OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.[1]

Enterprise T1082 System Information Discovery

OceanSalt can collect the computer name from the system.[1]

Enterprise T1016 System Network Configuration Discovery

OceanSalt can collect the victim’s IP address.[1]

References