1. Home
  2. Software
  3. Seasalt

Seasalt

Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities with OceanSalt.[1][2]

ID: S0345
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 30 January 2019
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .004 伪装: Masquerade Task or Service

Seasalt has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" in an apparent attempt to masquerade as a legitimate service.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Seasalt is capable of installing itself as a service.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Seasalt creates a Registry entry to ensure infection after reboot under HKLM\Software\Microsoft\Windows\currentVersion\Run.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Seasalt uses HTTP for C2 communications.[1]
Enterprise T1083 文件和目录发现

Seasalt has the capability to identify the drive type on a victim.[2]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Seasalt obfuscates configuration data.[1]
Enterprise T1070 .004 移除指标: File Deletion

Seasalt has a command to delete a specified file.[1]
Enterprise T1105 输入工具传输

Seasalt has a command to download additional files.[1][1]
Enterprise T1057 进程发现

Seasalt has a command to perform a process listing.[1]

Groups That Use This Software

ID Name References
G0006 APT1

[1][2]

References

  1. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  1. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.