Openhunting Threat Library

Salgorea

Salgorea, BadCake
(Type: Reconnaissance, Backdoor)

(Accenture) This backdoor is commonly dropped by either an SFX or an exploit document (e.g. Microsoft Corp. Word or PDF file). Some of this backdoor’s observed capabilities include: • Arbitrary file, process and registration creation • Fingerprinting the local machine • Running arbitrary shellcode Once dropped, it is usually divided into multiple components in order to be side-loaded, in a fashion similar to other remote access tools including {{PlugX}} and {{NetTraveler}}.

[News Analysis] Trends:

Total Trend: 3

Trend Per Year
1
2018
2
2019


Trend Per Month
1
Mar 2018
1
Jan 2019
1
Apr 2019



[News Analysis] News Mention Another Threat Name:

1 - Salgorea1 - APT32


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Deobfuscating APT32 Flow Graphs with Cutter and Radare2

2019-04-24 by Itay Cohen from Check Point Research

Pond Loach delivers BadCake malware

2019-01-17 by Matthew Brady from Accenture

OceanLotus: Old techniques, new backdoor

2018-03 by OceanLotus: Old techniques, new backdoor from ESET Research

Basic Information (Credit @etda.or.th)

Tool: Salgorea

Names: Salgorea, BadCake

Description: (Accenture) This backdoor is commonly dropped by either an SFX or an exploit document (e.g. Microsoft Corp. Word or PDF file). Some of this backdoor’s observed capabilities include: • Arbitrary file, process and registration creation • Fingerprinting the local machine • Running arbitrary shellcode Once dropped, it is usually divided into multiple components in order to be side-loaded, in a fashion similar to other remote access tools including {{PlugX}} and {{NetTraveler}}.

Category: Malware

Type: Reconnaissance, Backdoor

Information: https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea

Last-card-change: 2020-04-23

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact