SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. ^[1]

ID: S0035

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1560	.003	Archive Collected Data: Archive via Custom Method	Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.^[1]
		.009	Boot or Logon Autostart Execution: Shortcut Modification	SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.^[1]
Enterprise	T1052	.001	Exfiltration Over Physical Medium: Exfiltration over USB	SPACESHIP copies staged data to removable drives when they are inserted into the system.^[1]
Enterprise	T1083		File and Directory Discovery	SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.^[1]

Groups That Use This Software

ID	Name	References
G0013	APT30	^[1]

References

FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

SPACESHIP

Enterprise Layer

Techniques Used

Groups That Use This Software

References