Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

FLASHFLOOD

FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]

ID: S0036
Aliases: FLASHFLOOD
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1022Data EncryptedFLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23.[1]
EnterpriseT1005Data from Local SystemFLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.[1]
EnterpriseT1025Data from Removable MediaFLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by SPACESHIP.[1]
EnterpriseT1074Data StagedFLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.[1]
EnterpriseT1083File and Directory DiscoveryFLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.[1]
EnterpriseT1060Registry Run Keys / Startup FolderFLASHFLOOD achieves persistence by making an entry in the Registry's Run key.[1]

Groups

Groups that use this software:

APT30

References