OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.^[1]

ID: S0346

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 30 January 2019

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.^[1] OceanSalt has been executed via malicious macros.^[1]
Enterprise	T1132	.002	Data Encoding: Non-Standard Encoding	OceanSalt can encode data with a NOT operation before sending the data to the control server.^[1]
Enterprise	T1083		File and Directory Discovery	OceanSalt can extract drive information from the endpoint and search files on the system.^[1]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	OceanSalt can delete files from the system.^[1]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.^[1]
Enterprise	T1057		Process Discovery	OceanSalt can collect the name and ID for every process running on the system.^[1]
Enterprise	T1082		System Information Discovery	OceanSalt can collect the computer name from the system.^[1]
Enterprise	T1016		System Network Configuration Discovery	OceanSalt can collect the victim’s IP address.^[1]

References

Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.

OceanSalt

Enterprise Layer

Techniques Used

References