Severity
Medium
Analysis Summary
The Oceansalt APT Group seems to have links with the Chinese hacking group Comment Crew (aka APT1).
The target sectors of this group include Finance, universities, telecommunications and agriculture. The threat actors behind Oceansalt implant a malware on the intended target’s system. However, their motives aren’t clear yet.
Impact
Financial loss
Damage to Reputation
Potential legal consequences
Indicators of Compromise
IP(s) / Hostname(s)
- 116.127.123[.]55
- 183.111.174[.]42
- 158.69.131[.]78
- 172.81.132[.]62
- 211.104.160[.]196
- 27.102.112[.]179
URLs
- hxxp://158[.]69[.]131[.]78/
- hxxp://172[.]81[.]132[.]62/
- hxxp://korff[.]or[.]kr/admin/data/member/1/log[.]php
- hxxp://eduasia[.]kr/gbbs/bbs/admin/log[.]php
- korff[.]or[.]kr
- eduasia[.]kr
Malware Hash (MD5/SHA1/SH256)
- 4efd425eb9841e2ed19e0933735be736f099dbd2c7ab791241217f4b8937ce9d
- aa583da0b11fe94278de2c097e6a9d1f922d6fe3c8d79054d146442f1a830c01
- b82697de1702d4c1297cc1a436280a0295fe3c6c48f6f08457e6f3f89783be9e
- 8458592ad6f6c2b18f6d31be59a6a8a8538dea33bfe10178bacc33fa0e971f3a
- d1bfc02db9922f89da0cef14b514b63af3703f1ab7bd88d558431151bfac92e2
- db96ead07e4942ad4b5cd1122dbde7dacabc2087da1e0f44294018f9266b6d24
- 7e86d38ea795030774aa864e025fc88b8f58578ae72ec245353ade1489292763
- 6c1373b3fc292b90062401c56359c09aa7b779d0ec1f8f4ab93130718b3891f9
- 12e1b00af73101cb297387b6ee5035c4cae04211d995ddd233fb375deb492b0a
- 85c4a06ec817559a91028bc2441d8a341f9e408130c505d310a02bd31ca1ebb3
- 12a6d940382d9288e3585c80f0a66da7904e45dafc8e95d4e908f5b7518bb560
- f3b7d1704765507956752fa985d5d7eda2ec3e88417c9a94918720f36da050f8
- 7451ebf8ab3da9d8138f97b73fea9d591c3cb43d5e689901a5edc7020e6ccb04
- 1582eda79d7febbfbd708adbdc90e26cde94a1eae765d86a70977d765252e481
- c202c578cc5e12c0d0ebe821f0192581a5c5a9a43f2b93de4ca77f5501c6fcc5
- ca8c537226104639d93e90e1d734265d56bc7ce5be94b078c5cc07ca3e1ac2f7
- e5e67ea991c75b9dccad7fc2f6551012c764a47850ffce59c2cd7406976ff269
- 2c6c9bf61eb9d831322779239b4674ea3aa0f86928038ebd7fbea9aeae38007e
- 099ee51e778991a5e689ab5d7ab650d3e709155602d9b1b74d59690db9e92a21
- e24d86cf5eda21dbbb16ba9ea7e222c5f4d3f0276fb33dda07e406a768f3b6e8
- b7c221acd87642b2cc44854f0d1f0daf12ac25a1065a577f51bb7623e4be8650
- 0106b3eb8cd100ec7b900f811d526226909840be710aa088f10b313ab7135cf1
- 46c398efb64147fae37c326512c807837daf6933b45da23c0099bead0b4d5fcd
- aa9849b4e9dc589b0202793e78bd8fed646bc9ecd459d5040baa1c94c86a2d0b
- 6822ac1524875653e9923be937ba4e7d36135df8a7a1b835dc05a87cfa5320ff
- 554d020707eda87217e56b605f0cf5307ff2de49d515bf26aea6d81986572b84
- 4a9c546ecd2c0cf185e68983852fa233c3efeb78a8d1e22cd43b75912ca96acf
- 085fda5211d4e135f50ecbeb7f24771b6005f436e8d9a573967383d4e804d9bc
- 024f920fc27aa37b6d7eb0c5dd852eb8d3cf0bd1e9b16674bcc58471f74a283a
- a5ae58b2e04c6928a9eae21916d6ff2ed1e99280ec83385a1cd98d85ec35fb90
- 43c9928d88ab67f96baff78295ab2b0b0b623c3430c367c38e9a8e1d3523f73d
- facb59735b3c876b0dc37b4b03ebb2e6bd85fd40d381abc5ab7ac6a4fc436d6a
Remediation
- Block the threat indicators at their respective controls.
- WHITELIST applications – application whitelisting to block the execution of un-certified binaries.
- BLOCK executables – prevent binaries from executing from temporary folders under the user home directory.
- BLOCK Macros – where possible, restrict or block Macros from executing or implement internal policies on external documents that include macros.
- ENHANCE Secure Web Gateways – look to features in SWG to monitor for binaries that are masked as web/HTTP artifacts (I.e. PHP files)
- GEO-FENCE connections – disallow outbound network connections to non-business functional regions.
- SANATIZE emails – scrutinize attachments and web site hyperlinks contained in e-mails
- PATCH vulnerabilities – prioritizing timely patching of Internet-connected systems for known vulnerabilities and software processing Internet data especially on Microsoft Office suite
- REFRESH SIEM Use Case – Look to use cases that involve VBA scripts