Skip to content

S0028 SHIPSHAPE

SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. 1

Item Value
ID S0028
Type MALWARE
Version 1.0
Created 31 May 2017
Last Modified 17 October 2018
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.1
enterprise T1547.009 Shortcut Modification SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.1
enterprise T1091 Replication Through Removable Media APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document.1

Groups That Use This Software

ID Name References
G0013 APT30 1

References

Back to top