FLASHFLOOD
FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by SPACESHIP.[1] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.[1] |
| Enterprise | T1560 | .003 | 归档收集数据: Archive via Custom Method |
FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.[1] |
| Enterprise | T1083 | 文件和目录发现 |
FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.[1] |
|