SPACESHIP

SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]

ID: S0035
Aliases: SPACESHIP
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1022Data EncryptedData SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.[1]
EnterpriseT1074Data StagedSPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.[1]
EnterpriseT1052Exfiltration Over Physical MediumSPACESHIP copies staged data to removable drives when they are inserted into the system.[1]
EnterpriseT1083File and Directory DiscoverySPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.[1]
EnterpriseT1060Registry Run Keys / Startup FolderSPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1]
EnterpriseT1023Shortcut ModificationSPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1]

Groups

Groups that use this software:

APT30

References