Contact Contact Us

Operation Oceansalt Targets Koreans Using New Recon Implant, Italy Navy Targeted By Phishing Attacks That Deliver QuasarRAT

Researchers discovered an espionage campaign dubbed Operation Oceansalt that targets Koreans using an unknown data reconnaissance implant, which appears to be a reuse of code from the Seasalt implant previously linked to Chinese hacker group Comment Crew. Oceansalt implant is believed to be a first-stage malware that is written to disk after being downloaded from a macros-laden document and pilfers information about an infected endpoint. Being 76KB, it has a minimal on-disk footprint that makes it harder to be detected than bigger malware. The operation’s Korean targets include those who likely have knowledge of South Korean public infrastructure projects and related financials, and those involved in higher education. Other targets are based in the United States and Canada.

Italy’s naval industry suffered several phishing attacks that sought to deliver QuasarRAT, an open source remote administration tool. Recipients had received emails from senders who masqueraded as known vendors of marine parts and naval services. The emails contained specially crafted Excel files that adopted the VelvetSweatshop trick and exploited a Microsoft Equation Editor vulnerability to download QuasarRAT.

[1] ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group
[2] Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”)

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883