Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew

Pierluigi Paganini October 19, 2018

Security researchers from McAfee have recently uncovered a cyber espionage campaign, tracked as Operation Oceansalt, targeting South Korea, the United States, and Canada.

The threat actors behind Operation Oceansalt are reusing malware previously associated with China-linked cyberespionage group APT1.

“McAfee Advanced Threat Research and Anti-Malware Operations teams have discovered another unknown data reconnaissance implant targeting Korean-speaking users.” reads the report.

“We have named this threat Operation Oceansalt based on its similarity to the earlier malware Seasalt, which is related to earlier Chinese hacking operations. Oceansalt reuses a portion of code from the Seasalt implant (circa 2010) that is linked to the Chinese hacking group Comment Crew. Oceansalt appears to have been part of an operation targeting South Korea, United States, and Canada in a well-focused attack.”

APT1 cyberespionage group, aka Comment Crew, was first discovered in 2013 by experts from Mandiant firm. The evidence collected by the security experts links APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398), experts believe the group has been active since 2006 and targeted hundreds of organizations in multiple industries.

According to McAfee, Operation Oceansalt was not conducted by APT1, attackers leverage the Oceansalt implant that borrows the code from the APT1 tool dubbed Seasalt.

Both malware uses similar command handler and index table, and exactly the same response codes associated with command execution.

Oceansalt contains the following strings that are part of Seasalt:

  • Upfileer
  • Upfileok

Both implants have a high degree of similarity in code sharing and functions. A few of their commonalities follow.”

According to the researchers, the implant is only a first-stage component that allows operators to perform various actions on the infected systems and to downloads additional components.

Oceansalt implements a dozen commands, including extract drive information, send information about a specific file, execute a command line using WinExec(), delete file, create file, get information on the running processes, terminate process, create/operate/terminate reverse shell, and test receive and send capabilities.

Operation Oceansalt

At the time of the analysis, it was still unclear who is behind the campaign, the only certainty was that the attackers in someway have access to the APT1’s source code even if it was never publicly disclosed.

The Oceansalt implant was used in at least five campaigns and was customized to the specific targets.

In the first two waves of attacks, threat actors used spear-fishing emails with weaponized Korean-language Microsoft Excel documents to download the implant. In the third campaign hackers leveraged on weaponized Microsoft Word documents, while the remaining waves of attacks targeted a small number of entities outside of South Korea, including the U.S. and Canada.

The attackers used several command and control (C&C) servers, their analysis revealed the Operation Oceansalt campaign is active in Canada, Costa Rica, the United States, and the Philippines.

“Perhaps more important is the possible return of a previously dormant threat actor and, further, why should this campaign occur now? Regardless of whether this is a false flag operation to suggest the rebirth of Comment Crew, the impact of the attack is unknown.” McAfee concludes.

“However, one thing is certain. Threat actors have a wealth of code available to leverage new campaigns, as previous researchfrom the Advanced Threat Research team has revealed. In this case we see that collaboration not within a group but potentially with another threat actor—offering up considerably more malicious assets. ” 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – APT1, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment