SOC Prime Bias: Critical

16 Jun 2026 05:47 UTC

Analyzing SHEET#CREEP: The Malware Returns with New Config Obfuscation

Author Photo
SOC Prime Team linkedin icon Follow
Analyzing SHEET#CREEP: The Malware Returns with New Config Obfuscation
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

An active espionage operation known as SHEETCREEP relies on a C# remote access trojan that uses the Google Sheets API for command and control. The attackers deliver the malware through a diplomatic-themed ISO phishing lure, after which the RAT establishes persistence and executes commands through an in-process PowerShell runspace. Recent samples show the operators have strengthened the malware by introducing XOR-based obfuscation for configuration data.

Investigation

The Securonix Threat Research team uncovered the campaign by extracting embedded Google Cloud service account credentials from the RAT binary. After authenticating to the live command-and-control spreadsheet, the researchers identified 91 active victim tabs, including sandboxes, research environments, and one high-confidence victim located in Pakistan. Their analysis also showed that the malware’s configuration protection had evolved through an updated obfuscation approach.

Mitigation

Organizations should avoid opening unsolicited attachments, especially ISO files that contain LNK shortcut files. Defenders should monitor the %LOCALAPPDATA%\MicrosoftVault directory for suspicious executables and review scheduled tasks for misleading or unexpected entries. Strong endpoint visibility through tools such as Sysmon and AMSI can also help detect in-process PowerShell activity tied to this malware.

Response

If unusual HTTPS traffic to Google API services is observed from non-browser processes, the affected system should be isolated immediately. Security teams should inspect scheduled tasks for unauthorized items such as WindowsVaultSyncService. A forensic review of %LOCALAPPDATA%\MicrosoftVault should also be performed to identify hidden or system-attributed binaries associated with the intrusion.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary aims to establish persistence and execute a remote access trojan (RAT) using the SHEETCREEP technique. First, they simulate the initial execution via a malicious LNK file that calls cmd.exe to start a specific suspicious executable. Next, they establish persistence by creating a scheduled task named WindowsVaultSyncService with a deceptive description to blend in with system updates. Finally, they deploy the payload vaultsvc.exe into the C:Users<User>AppDataLocalMicrosoftVault directory and execute it to trigger the final part of the detection logic.

  • Regression Test Script:

    # SHEETCREEP Simulation Script
    # Note: This script must be run with Administrative privileges to create scheduled tasks.
    
    $targetDir = "$env:LOCALAPPDATAMicrosoftVault"
    $payloadName = "vaultsvc.exe"
    $payloadPath = "$targetDir$payloadName"
    $taskName = "WindowsVaultSyncService"
    $taskDesc = "Windows Edge Core Update Task Machine Discord Update"
    
    Write-Host "[+] Starting SHEETCREEP Simulation..." -ForegroundColor Cyan
    
    # 1. Simulate Selection 1: CMD execution with specific string
    Write-Host "[+] Simulating Selection 1: CMD command pattern..." -ForegroundColor Yellow
    Start-Process cmd.exe -ArgumentList '/c start "" "Document_11052026-03578240540350-93.exe"' -WindowStyle Hidden
    
    # 2. Simulate Selection 2: Scheduled Task Creation
    Write-Host "[+] Simulating Selection 2: Scheduled Task creation..." -ForegroundColor Yellow
    $action = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c echo Persistence Established"
    $trigger = New-ScheduledTaskTrigger -AtLogOn
    Register-ScheduledTask -Action $action -Trigger $trigger -TaskName $taskName -Description $taskDesc -Force
    
    # 3. Simulate Selection 3: Payload placement and execution
    Write-Host "[+] Simulating Selection 3: Payload deployment and execution..." -ForegroundColor Yellow
    if (!(Test-Path $targetDir)) {
        New-Item -Path $targetDir -ItemType Directory -Force | Out-Null
    }
    
    # Create a dummy binary file to mimic the RAT
    New-Item -Path $payloadPath -ItemType File -Force | Out-Null
    
    # Execute the dummy payload
    Start-Process -FilePath $payloadPath -WindowStyle Hidden -ErrorAction SilentlyContinue
    
    Write-Host "[+] Simulation commands sent. Check SIEM for alerts." -ForegroundColor Green
  • Cleanup Commands:

    # Cleanup SHEETCREEP Simulation
    $targetDir = "$env:LOCALAPPDATAMicrosoftVault"
    $payloadPath = "$targetDirvaultsvc.exe"
    $taskName = "WindowsVaultSyncService"
    
    Write-Host "[+] Cleaning up simulation artifacts..." -ForegroundColor Cyan
    
    # Remove Scheduled Task
    Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
    
    # Remove Payload and Directory
    if (Test-Path $payloadPath) { Remove-Item $payloadPath -Force }
    if (Test-Path $targetDir) { Remove-Item $targetDir -Recurse -Force }
    
    Write-Host "[+] Cleanup complete." -ForegroundColor Green