S0035 SPACESHIP
SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. 1
| Item | Value |
|---|---|
| ID | S0035 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.003 | Archive via Custom Method | Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR’ed with 0x23.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | SPACESHIP achieves persistence by creating a shortcut in the current user’s Startup folder.1 |
| enterprise | T1547.009 | Shortcut Modification | SPACESHIP achieves persistence by creating a shortcut in the current user’s Startup folder.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | SPACESHIP identifies files with certain extensions and copies them to a directory in the user’s profile.1 |
| enterprise | T1052 | Exfiltration Over Physical Medium | - |
| enterprise | T1052.001 | Exfiltration over USB | SPACESHIP copies staged data to removable drives when they are inserted into the system.1 |
| enterprise | T1083 | File and Directory Discovery | SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0013 | APT30 | 1 |