SPACESHIP (Malware Family)

SPACESHIP

Actor(s): APT 30

VTCollection

SPACESHIP searches for files with a specified set of file extensions and copies them to
a removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive,
which could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is
then used to steal documents from the air-gapped system, copying them to a removable drive inserted
into the SPACESHIP-infected system

References

2015-04-15 ⋅ FireEye ⋅ FireEye
APT30 and the Mechanics of a Long-Running Cyber Espionage Campaign
backspace FLASHFLOOD NETEAGLE SHIPSHAPE SPACESHIP APT30

2015-04-01 ⋅ FireEye ⋅ FireEye
APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
BACKBEND backspace CREAMSICLE FLASHFLOOD GEMCUTTER MILKMAID Naikon NETEAGLE ORANGEADE SHIPSHAPE SPACESHIP SslMM Sys10 WinMM xsPlus APT30

Yara Rules

[TLP:WHITE] win_spaceship_auto (20230808 | Detects win.spaceship.)

rule win_spaceship_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.spaceship."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6689842464030000 6689842466030000 c784246803000028694100 66899c246c030000 668984246e030000 c784247003000018694100 }
            // n = 6, score = 100
            //   6689842464030000     | mov                 word ptr [esp + 0x364], ax
            //   6689842466030000     | mov                 word ptr [esp + 0x366], ax
            //   c784246803000028694100     | mov    dword ptr [esp + 0x368], 0x416928
            //   66899c246c030000     | mov                 word ptr [esp + 0x36c], bx
            //   668984246e030000     | mov                 word ptr [esp + 0x36e], ax
            //   c784247003000018694100     | mov    dword ptr [esp + 0x370], 0x416918

        $sequence_1 = { 66c78424a40400001200 66898424a6040000 c78424a804000070674100 66c78424ac0400001300 66898424ae040000 c78424b004000064674100 }
            // n = 6, score = 100
            //   66c78424a40400001200     | mov    word ptr [esp + 0x4a4], 0x12
            //   66898424a6040000     | mov                 word ptr [esp + 0x4a6], ax
            //   c78424a804000070674100     | mov    dword ptr [esp + 0x4a8], 0x416770
            //   66c78424ac0400001300     | mov    word ptr [esp + 0x4ac], 0x13
            //   66898424ae040000     | mov                 word ptr [esp + 0x4ae], ax
            //   c78424b004000064674100     | mov    dword ptr [esp + 0x4b0], 0x416764

        $sequence_2 = { 0f8415010000 bb01000000 3bfb 0f8cff000000 eb04 }
            // n = 5, score = 100
            //   0f8415010000         | je                  0x11b
            //   bb01000000           | mov                 ebx, 1
            //   3bfb                 | cmp                 edi, ebx
            //   0f8cff000000         | jl                  0x105
            //   eb04                 | jmp                 6

        $sequence_3 = { 84c0 7547 eb31 8d7502 40 8a10 8aca }
            // n = 7, score = 100
            //   84c0                 | test                al, al
            //   7547                 | jne                 0x49
            //   eb31                 | jmp                 0x33
            //   8d7502               | lea                 esi, [ebp + 2]
            //   40                   | inc                 eax
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   8aca                 | mov                 cl, dl

        $sequence_4 = { 52 e8???????? 83c418 5f 5e 5b 83c410 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   83c410               | add                 esp, 0x10

        $sequence_5 = { 85c0 7454 8a442404 84c0 }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   7454                 | je                  0x56
            //   8a442404             | mov                 al, byte ptr [esp + 4]
            //   84c0                 | test                al, al

        $sequence_6 = { 53 ff542428 8d8c2454020000 51 e8???????? }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   ff542428             | call                dword ptr [esp + 0x28]
            //   8d8c2454020000       | lea                 ecx, [esp + 0x254]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_7 = { 8b442424 8b0d???????? 56 50 }
            // n = 4, score = 100
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   8b0d????????         |                     
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_8 = { 8d3c8d00ec4100 c1e603 8b0f 833c31ff }
            // n = 4, score = 100
            //   8d3c8d00ec4100       | lea                 edi, [ecx*4 + 0x41ec00]
            //   c1e603               | shl                 esi, 3
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   833c31ff             | cmp                 dword ptr [ecx + esi], -1

        $sequence_9 = { 723c 8d8c2458030000 6a00 8d94245c050000 51 52 ff15???????? }
            // n = 7, score = 100
            //   723c                 | jb                  0x3e
            //   8d8c2458030000       | lea                 ecx, [esp + 0x358]
            //   6a00                 | push                0
            //   8d94245c050000       | lea                 edx, [esp + 0x55c]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 262144
}

Download all Yara Rules

SPACESHIP Propose Change

References

Yara Rules

SPACESHIP