Skip to content

S0036 FLASHFLOOD

FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. 1

Item Value
ID S0036
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR’ed with 0x23.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FLASHFLOOD achieves persistence by making an entry in the Registry’s Run key.1
enterprise T1005 Data from Local System FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.1
enterprise T1025 Data from Removable Media FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by SPACESHIP.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging FLASHFLOOD stages data it copies from the local system or removable drives in the “%WINDIR%\$NtUninstallKB885884$" directory.1
enterprise T1083 File and Directory Discovery FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.1

Groups That Use This Software

ID Name References
G0013 APT30 1

References