Analyzing SHEET#CREEP: The Malware Returns with New Config Obfuscation
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
An active espionage operation known as SHEETCREEP relies on a C# remote access trojan that uses the Google Sheets API for command and control. The attackers deliver the malware through a diplomatic-themed ISO phishing lure, after which the RAT establishes persistence and executes commands through an in-process PowerShell runspace. Recent samples show the operators have strengthened the malware by introducing XOR-based obfuscation for configuration data.
Investigation
The Securonix Threat Research team uncovered the campaign by extracting embedded Google Cloud service account credentials from the RAT binary. After authenticating to the live command-and-control spreadsheet, the researchers identified 91 active victim tabs, including sandboxes, research environments, and one high-confidence victim located in Pakistan. Their analysis also showed that the malware’s configuration protection had evolved through an updated obfuscation approach.
Mitigation
Organizations should avoid opening unsolicited attachments, especially ISO files that contain LNK shortcut files. Defenders should monitor the %LOCALAPPDATA%\MicrosoftVault directory for suspicious executables and review scheduled tasks for misleading or unexpected entries. Strong endpoint visibility through tools such as Sysmon and AMSI can also help detect in-process PowerShell activity tied to this malware.
Response
If unusual HTTPS traffic to Google API services is observed from non-browser processes, the affected system should be isolated immediately. Security teams should inspect scheduled tasks for unauthorized items such as WindowsVaultSyncService. A forensic review of %LOCALAPPDATA%\MicrosoftVault should also be performed to identify hidden or system-attributed binaries associated with the intrusion.
Attack Flow
Detections
Possible Choice Usage for Delay Execution (via cmdline)
View
VHDMP Optic Disk Image Was Mounted (via VHDMP)
View
Suspicious Scheduled Task (via audit)
View
Possible Google Command and Control Utility Activity (via proxy)
View
IOCs (HashSha256) to detect: Analyzing SHEET#CREEP: SHEETCREEP is up again with different config obfuscation
View
IOCs (SourceIP) to detect: Analyzing SHEET#CREEP: SHEETCREEP is up again with different config obfuscation
View
IOCs (DestinationIP) to detect: Analyzing SHEET#CREEP: SHEETCREEP is up again with different config obfuscation
View
Detection of Sheet#CREEP C2 Communication via Google Sheets API [Firewall]
View
Detect SHEET#CREEP Malware Mutex Usage [Windows Sysmon]
View
Detection of SHEETCREEP Persistence and Execution Patterns [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to establish persistence and execute a remote access trojan (RAT) using the SHEETCREEP technique. First, they simulate the initial execution via a malicious LNK file that calls
cmd.exeto start a specific suspicious executable. Next, they establish persistence by creating a scheduled task namedWindowsVaultSyncServicewith a deceptive description to blend in with system updates. Finally, they deploy the payloadvaultsvc.exeinto theC:Users<User>AppDataLocalMicrosoftVaultdirectory and execute it to trigger the final part of the detection logic. -
Regression Test Script:
# SHEETCREEP Simulation Script # Note: This script must be run with Administrative privileges to create scheduled tasks. $targetDir = "$env:LOCALAPPDATAMicrosoftVault" $payloadName = "vaultsvc.exe" $payloadPath = "$targetDir$payloadName" $taskName = "WindowsVaultSyncService" $taskDesc = "Windows Edge Core Update Task Machine Discord Update" Write-Host "[+] Starting SHEETCREEP Simulation..." -ForegroundColor Cyan # 1. Simulate Selection 1: CMD execution with specific string Write-Host "[+] Simulating Selection 1: CMD command pattern..." -ForegroundColor Yellow Start-Process cmd.exe -ArgumentList '/c start "" "Document_11052026-03578240540350-93.exe"' -WindowStyle Hidden # 2. Simulate Selection 2: Scheduled Task Creation Write-Host "[+] Simulating Selection 2: Scheduled Task creation..." -ForegroundColor Yellow $action = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c echo Persistence Established" $trigger = New-ScheduledTaskTrigger -AtLogOn Register-ScheduledTask -Action $action -Trigger $trigger -TaskName $taskName -Description $taskDesc -Force # 3. Simulate Selection 3: Payload placement and execution Write-Host "[+] Simulating Selection 3: Payload deployment and execution..." -ForegroundColor Yellow if (!(Test-Path $targetDir)) { New-Item -Path $targetDir -ItemType Directory -Force | Out-Null } # Create a dummy binary file to mimic the RAT New-Item -Path $payloadPath -ItemType File -Force | Out-Null # Execute the dummy payload Start-Process -FilePath $payloadPath -WindowStyle Hidden -ErrorAction SilentlyContinue Write-Host "[+] Simulation commands sent. Check SIEM for alerts." -ForegroundColor Green -
Cleanup Commands:
# Cleanup SHEETCREEP Simulation $targetDir = "$env:LOCALAPPDATAMicrosoftVault" $payloadPath = "$targetDirvaultsvc.exe" $taskName = "WindowsVaultSyncService" Write-Host "[+] Cleaning up simulation artifacts..." -ForegroundColor Cyan # Remove Scheduled Task Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue # Remove Payload and Directory if (Test-Path $payloadPath) { Remove-Item $payloadPath -Force } if (Test-Path $targetDir) { Remove-Item $targetDir -Recurse -Force } Write-Host "[+] Cleanup complete." -ForegroundColor Green