Threat Report

Oceansalt Attacks Infrastructure, Finance, Universities and Telecommunications

What Is It?

Researchers at McAfee have released a report detailing the analysis of APT (Advanced Persistent Threat) activity they have named Operation Oceansalt, which has so far consisted of five campaigns. The first three were directed at South Korean universities and public infrastructure, the fourth at several Canadian and U.S. industries including finance, telecommunications and healthcare. The final campaign targeted the U.S. and South Korea. In each case, the attack vector was spear phishing emails containing Excel spreadsheets in Korean, with malicious macros that resulted in the installation of Oceansalt malware.

Once installed, Oceansalt attempts to connect to its command and control (C2) server. It is capable of sending information regarding the drives, files and processes on the infected system, execute commands, delete and create files, terminate processes and create command shells.

Researchers have named these campaigns Operation Oceansalt due to the fact they found significant similarities to a piece of malware named Seasalt dating all the way back to 2010. Oceansalt has a only a few differences compared to Seasalt, Oceansalt encodes the data it sends, it uses a hardcoded C2 server address and does not survive reboots of the infected system.

Seasalt has been attributed to a Chinese APT (Advanced Persistent Threat) group known as Comment Crew and APT1, originally exposed in a Mandiant report. The report, released in 2013, examined attacks on U.S. corporations that resulted in the theft of hundreds of terabytes of data.

While it is highly unlikely that APT1 has suddenly resurfaced, it is believed that the source code for Seasalt was never released or sold on the dark web. There is speculation as to the reasons why Oceansalt is so similar to Seasalt. One reason is an attempt to falsely attribute the attacks to Chinese interests, which is quite plausible given the ease with which origins of malware can be spoofed.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The attack vector is spear phishing emails containing Excel files with malicious macros.

When/How Did BluVector Detect It?

Fourteen samples relating to Oceansalt are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 32 months prior to their release.

Interested in learning about BluVector?Contact Us >