Skip to content

S0035 SPACESHIP

SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. 1

Item Value
ID S0035
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR’ed with 0x23.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder SPACESHIP achieves persistence by creating a shortcut in the current user’s Startup folder.1
enterprise T1547.009 Shortcut Modification SPACESHIP achieves persistence by creating a shortcut in the current user’s Startup folder.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging SPACESHIP identifies files with certain extensions and copies them to a directory in the user’s profile.1
enterprise T1052 Exfiltration Over Physical Medium -
enterprise T1052.001 Exfiltration over USB SPACESHIP copies staged data to removable drives when they are inserted into the system.1
enterprise T1083 File and Directory Discovery SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.1

Groups That Use This Software

ID Name References
G0013 APT30 1

References

Back to top