OceanSalt Threat Report: What is the OceanSalt Malware and How Does it Work?

The Trojan, OceanSalt, has been linked to an APT1 campaign. It affects the operating systems Windows and can delete files, encode data, and collect information about the victim's system. It has been delivered via spearphishing emails with Microsoft Office attachments, and can create a reverse shell on the infected endpoint.

OceanSalt Malware Capabilities:

OceanSalt may collect various information about a system, including system and hardware details, network configuration, and running processes. This information may be used to determine which actions to take next. Additionally, OceanSalt may send spearphishing emails with malicious attachments in an attempt to gain access to victim systems.

• OceanSalt may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect.
• OceanSalt may send spearphishing emails with a malicious attachment to gain access to victim systems. The email may pose as a trusted source and contain a file that, once executed, allows the adversary to gain access to the system.
• OceanSalt may abuse the Windows command shell for execution in order to gain detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Additionally, OceanSalt may enumerate files and directories, or search in specific locations for certain information. This information may be used to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Ways to Mitigate OceanSalt Malware Attacks Capabilities

• The OceanSalt malware attack can be mitigated by analyzing network data for uncommon data flows, and by monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network.
• The OceanSalt malware enables attackers to perform system and network discovery, as well as lateral movement, in order to obtain sensitive information. These activities can be mitigated by using intrusion detection systems and email gateways to detect malicious attachments in transit.
• The OceanSalt malware can be used to attack systems by enabling scripts that are normally restricted for normal users. These scripts can then be used to exfiltrate data from the system. To mitigate these attacks, system and network discovery techniques should be used to detect and prevent the execution of these scripts.