OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada.OceanSalt shares code similarity withSpyNote RAT, which has been linked toAPT1.[1]
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.[1]OceanSalt has been executed via malicious macros.[1] |
| Enterprise | T1132 | .002 | Data Encoding:Non-Standard Encoding | OceanSalt can encode data with a NOT operation before sending the data to the control server.[1] |
| Enterprise | T1083 | File and Directory Discovery | OceanSalt can extract drive information from the endpoint and search files on the system.[1] | |
| Enterprise | T1070 | .004 | Indicator Removal:File Deletion | |
| Enterprise | T1566 | .001 | Phishing:Spearphishing Attachment | OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.[1] |
| Enterprise | T1057 | Process Discovery | OceanSalt can collect the name and ID for every process running on the system.[1] | |
| Enterprise | T1082 | System Information Discovery | ||
| Enterprise | T1016 | System Network Configuration Discovery | ||