OceanSalt
OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[1]
ID: S0346
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.1
Created: 30 January 2019
Last Modified: 30 March 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.[1] OceanSalt has been executed via malicious macros.[1] |
| Enterprise | T1132 | .002 | 数据编码: Non-Standard Encoding |
OceanSalt can encode data with a NOT operation before sending the data to the control server.[1] |
| Enterprise | T1083 | 文件和目录发现 |
OceanSalt can extract drive information from the endpoint and search files on the system.[1] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1082 | 系统信息发现 | ||
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1057 | 进程发现 |
OceanSalt can collect the name and ID for every process running on the system.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.[1] |