SOFTWARE

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Desert Scorpion

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Desert Scorpion

E-F

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Seasalt

Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities with OceanSalt.^[1]^[2]

ID: S0345

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 30 January 2019

Last Modified: 19 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Seasalt uses HTTP for C2 communications.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Seasalt creates a Registry entry to ensure infection after reboot under `HKLM\Software\Microsoft\Windows\currentVersion\Run`.^[2]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Seasalt is capable of installing itself as a service.^[1]
Enterprise	T1083		File and Directory Discovery	Seasalt has the capability to identify the drive type on a victim.^[2]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	Seasalt has a command to delete a specified file.^[1]
Enterprise	T1105		Ingress Tool Transfer	Seasalt has a command to download additional files.^[1]^[1]
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Seasalt has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" in an apparent attempt to masquerade as a legitimate service.^[1]
Enterprise	T1027		Obfuscated Files or Information	Seasalt obfuscates configuration data.^[1]
Enterprise	T1057		Process Discovery	Seasalt has a command to perform a process listing.^[1]

Groups That Use This Software

ID	Name	References
G0006	APT1	^[1]^[2]

References

Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.

Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.