SPACESHIP

SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]

ID: S0035
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1]

.009 Boot or Logon Autostart Execution: Shortcut Modification

SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.[1]

Enterprise T1052 .001 Exfiltration Over Physical Medium: Exfiltration over USB

SPACESHIP copies staged data to removable drives when they are inserted into the system.[1]

Enterprise T1083 File and Directory Discovery

SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.[1]

Groups That Use This Software

ID Name References
G0013 APT30

[1]

References