A new malware campaign called Operation Oceansalt has been found which mirrors the former operation “Seasalt,” which was carried out between 2010 and 2013. The group behind Seasalt distributed malware in the United States and Canada which targeted the finance industry. The original group was the Chinese hacking group, “Comment Crew,” commonly referred to as APT1. They managed to steal terabytes of data before their campaign was discovered. Oceansalt has already managed to be used in five different waves of the campaign and is targeting finance professionals, predominantly in South Korea. The group carries out attacks by sending spear phishing emails to people to get them to click on malicious excel documents. The group has done research and “they know who to target,” the report stated. The attacks have managed to make their way over to the United States and Canada as well, but there have been less reported cases. The malware, which is imbedded into the documents originally, is used for reconnaissance but can also be used to take control of the infected system and any network the device connected to. The malware that has been found has very similar, and some identical portions of the malware that was used in the Seasalt campaign. The similarities in malware are leading people to believe that there has been communication between APT1 and this group because the source code for the malware used by APT1 was never made public, which leads one to believe the groups had to have communicated somehow. This new campaign shows how threat actors can learn from each other to grow their attacks and abilities. Whoever is behind this campaign has not publicly announced themselves or their motives.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is