SPACESHIP
SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.[1] |
| Enterprise | T1547 | .009 | Boot or Logon Autostart Execution: Shortcut Modification |
SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1] |
| .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1] |
||
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.[1] |
| Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
SPACESHIP copies staged data to removable drives when they are inserted into the system.[1] |
| Enterprise | T1083 | File and Directory Discovery |
SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0013 | APT30 |