SHIPSHAPE

SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. ^[1]

ID: S0028

ⓘ

Type: MALWARE

Version: 1.0

Created: 31 May 2017

Last Modified: 17 October 2018

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.^[1]
		.009	启动或登录自动启动执行: Shortcut Modification	SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.^[1]
Enterprise	T1091		通过可移动媒体复制	APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document.^[1]

Groups That Use This Software

ID	Name	References
G0013	APT30	^[1]

References

FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

SHIPSHAPE

Enterprise Layer

Techniques Used

Groups That Use This Software

References