Skip to content

S0346 OceanSalt

OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.1

Item Value
ID S0346
Associated Names
Version 1.1
Created 30 January 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.1 OceanSalt has been executed via malicious macros.1
enterprise T1132 Data Encoding -
enterprise T1132.002 Non-Standard Encoding OceanSalt can encode data with a NOT operation before sending the data to the control server.1
enterprise T1083 File and Directory Discovery OceanSalt can extract drive information from the endpoint and search files on the system.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion OceanSalt can delete files from the system.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.1
enterprise T1057 Process Discovery OceanSalt can collect the name and ID for every process running on the system.1
enterprise T1082 System Information Discovery OceanSalt can collect the computer name from the system.1
enterprise T1016 System Network Configuration Discovery OceanSalt can collect the victim’s IP address.1