SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. ^[1]

ID: S0035

Type: MALWARE

Platforms: Windows

Version: 1.0

Created: 31 May 2017

Last Modified: 17 October 2018

Techniques Used

Domain	ID	Name	Use
Enterprise	T1022	Data Encrypted	Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.^[1]
Enterprise	T1074	Data Staged	SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.^[1]
Enterprise	T1052	Exfiltration Over Physical Medium	SPACESHIP copies staged data to removable drives when they are inserted into the system.^[1]
Enterprise	T1083	File and Directory Discovery	SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.^[1]
Enterprise	T1060	Registry Run Keys / Startup Folder	SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.^[1]
Enterprise	T1023	Shortcut Modification	SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.^[1]

Groups That Use This Software

ID	Name	References
G0013	APT30	^[1]

References

FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

SPACESHIP

Enterprise Layer

Techniques Used

Groups That Use This Software

References