SPACESHIP
SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]
ID: S0035
Aliases: SPACESHIP
Type: MALWARE
Platforms: Windows
Version: 1.0
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1022 | Data Encrypted | Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.[1] |
Enterprise | T1074 | Data Staged | SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.[1] |
Enterprise | T1052 | Exfiltration Over Physical Medium | SPACESHIP copies staged data to removable drives when they are inserted into the system.[1] |
Enterprise | T1083 | File and Directory Discovery | SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.[1] |
Enterprise | T1060 | Registry Run Keys / Startup Folder | SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1] |
Enterprise | T1023 | Shortcut Modification | SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[1] |
Groups
Groups that use this software:
APT30