FLASHFLOOD

FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]

ID: S0036
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1022 Data Encrypted FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23.[1]
Enterprise T1005 Data from Local System FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.[1]
Enterprise T1025 Data from Removable Media FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by SPACESHIP.[1]
Enterprise T1074 Data Staged FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.[1]
Enterprise T1083 File and Directory Discovery FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.[1]
Enterprise T1060 Registry Run Keys / Startup Folder FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.[1]

Groups

Groups that use this software:

APT30

References