SPACESHIP
SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1022 | Data Encrypted |
Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.[1] |
| Enterprise | T1074 | Data Staged |
SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.[1] |
| Enterprise | T1052 | Exfiltration Over Physical Medium |
SPACESHIP copies staged data to removable drives when they are inserted into the system.[1] |
| Enterprise | T1083 | File and Directory Discovery |
SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.[1] |
| Enterprise | T1060 | Registry Run Keys / Startup Folder |
SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1] |
| Enterprise | T1023 | Shortcut Modification |
SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0013 | APT30 | [1] |