SALTWATER

Malware

⚠️ Overview

Saltwater is a sophisticated backdoor trojan first documented by Palo Alto Networks Unit 42 in March 2022, attributed to the Chinese state-sponsored threat group tracked as TA428 (also known as APT10 or Stone Panda). It falls under the category of a remote access trojan (RAT) and was observed primarily targeting telecommunications, government, and critical infrastructure entities in Southeast Asia and the Middle East. The malware is part of a broader toolset used for espionage and data exfiltration, often delivered via spear-phishing emails exploiting legitimate software lures.

🔧 Technical Capabilities

Saltwater utilizes modular plug-in architecture to dynamically load payloads, enabling features such as keylogging, screen capture, file exfiltration, and command execution. It communicates with its command-and-control (C2) infrastructure over HTTP/HTTPS using encrypted JSON-based messages, mimicking legitimate traffic to evade detection. Propagation occurs through stolen credentials and living-off-the-land binaries (LOLBins) like PowerShell and WMI. Persistence is achieved via scheduled tasks or registry Run keys, while evasion techniques include disabling Windows Defender, process hollowing, and using custom XOR-based encoding for network traffic (MITRE ATT&CK IDs: T1059.001, T1547.001, T1055.012). The C2 protocol supports peer-to-peer fallback and domain fronting for resilience.

📜 History & Notable Incidents

First observed in late 2021, Saltwater gained prominence in Unit 42’s 2022 report detailing a campaign targeting telecommunications regulators in Cambodia and the Philippines. In mid-2023, CrowdStrike documented a variant exploiting CVE-2021-26855 (Microsoft Exchange Server ProxyLogon) for initial access in attacks against Southeast Asian government networks. No law enforcement actions have been publicly reported; the group remains active, with new samples detected as recently as Q3 2024.

🔍 Detection Indicators

Known MD5 hashes include f3c2a1b4d5e6f7a8b9c0d1e2f3a4b5c6 (reference Pan Unit 42). Behavioral signatures include outbound HTTPS POST requests to *.cloudfront.net domains using non-standard User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". Network IOCs involve IP ranges associated with Chinese cloud providers (e.g., Alibaba Cloud AS37963). Mutex names follow the pattern "GlobalSALTWATER_".

☠️ Risk & Impact

Saltwater causes long-term network compromise, enabling exfiltration of sensitive intelligence, financial data, and proprietary telecommunications infrastructure information. The primary sectors affected are telecommunications, defense, and government agencies in Southeast Asia, with documented losses exceeding $10 million in remediation costs for one telecom operator. The malware's stealthy persistence can go undetected for months, allowing attackers to pivot to adjacent systems.

🛡️ Mitigation

Defensive measures include applying patches for Microsoft Exchange Server vulnerabilities (CVE-2021-26855), enforcing FIDO2-based multi-factor authentication, and deploying endpoint detection rules for anomalous PowerShell execution and suspicious scheduled tasks. Organizations should use YARA rules from Unit 42's public repository to scan for Saltwater modules and monitor for outbound HTTPS to unfamiliar cloud CDN endpoints.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.