Skip to content

S0345 Seasalt

Seasalt is malware that has been linked to APT1‘s 2010 operations. It shares some code similarities with OceanSalt.12

Item Value
ID S0345
Associated Names
Type MALWARE
Version 1.1
Created 30 January 2019
Last Modified 19 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Seasalt uses HTTP for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Seasalt creates a Registry entry to ensure infection after reboot under HKLM\Software\Microsoft\Windows\currentVersion\Run.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Seasalt is capable of installing itself as a service.1
enterprise T1083 File and Directory Discovery Seasalt has the capability to identify the drive type on a victim.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Seasalt has a command to delete a specified file.1
enterprise T1105 Ingress Tool Transfer Seasalt has a command to download additional files.11
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Seasalt has masqueraded as a service called “SaSaut” with a display name of “System Authorization Service” in an apparent attempt to masquerade as a legitimate service.1
enterprise T1027 Obfuscated Files or Information Seasalt obfuscates configuration data.1
enterprise T1057 Process Discovery Seasalt has a command to perform a process listing.1

Groups That Use This Software

ID Name References
G0006 APT1 12

References

  1. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  2. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.