Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report covers the Sheet Attack operation, which deployed three bespoke backdoors—SHEETCREEP, FIREPOWER, and MAILCREEP—to compromise Indian government organizations. The implants relied on legitimate cloud platforms for command-and-control, including Google Sheets, Firebase Realtime Database, and the Microsoft Graph API, helping the activity blend into normal SaaS traffic. The analysis also notes artifacts consistent with developers using generative AI to assist with code production. The campaign is assessed as likely tied to a Pakistan-based subgroup of APT36.
Investigation
ThreatLabz conducted both dynamic and static analysis of the backdoors, documenting persistence methods, C2 workflows, and data-exfiltration behavior. The team also mapped supporting infrastructure, observed geographic and User-Agent–based filtering, and captured code-level indicators that suggest AI-assisted source generation.
Mitigation
Implement layered detections for suspicious PDF/LNK delivery chains, and monitor for scheduled tasks that launch PowerShell or VBS execution. Apply strict outbound controls and anomaly monitoring for cloud services commonly abused as C2, including Google Sheets, Firebase, and Microsoft Graph. Use hash-based blocking for known payloads and block identified malicious domains and IP addresses.
Response
When detected, isolate the endpoint, terminate hidden cmd.exe and PowerShell activity, remove related scheduled tasks, and delete the backdoor binaries. Preserve and review Google Sheets–based C2 logs and Firebase artifacts, then hunt across the environment for additional hosts exhibiting the same indicators.
"graph TB %% Class definitions classDef action fill:#99ccff classDef process fill:#ffdd99 classDef file fill:#ffcccc classDef data fill:#e6e6ff classDef protocol fill:#d9ead3 classDef technique fill:#ffd966 %% Nodes u2013 Initial Access action_phishing["<b>Action</b> – <b>T1204.001 User Execution: Malicious Link</b><br/>Victim clicks malicious link in a PDF"] class action_phishing action file_phishing_pdf["<b>File</b> – <b>Name</b>: Phishing PDF<br/><b>Technique</b>: T1204.001"] class file_phishing_pdf file file_malicious_lnk["<b>File</b> – <b>Name</b>: Malicious LNK<br/><b>Technique</b>: T1204.002 User Execution: Malicious File"] class file_malicious_lnk file process_powershell["<b>Process</b> – <b>Name</b>: PowerShell<br/><b>Technique</b>: T1059.001 Command and Scripting Interpreter"] class process_powershell process file_dotnet_assembly["<b>File</b> – <b>Name</b>: PNG disguised .NET assembly<br/><b>Techniques</b>: T1620 Reflective Code Loading, T1036.008 Masquerading File Type"] class file_dotnet_assembly file process_hidden_cmd["<b>Process</b> – <b>Name</b>: Hidden cmd.exe<br/><b>Technique</b>: T1059.003 Command Shell"] class process_hidden_cmd process %% Nodes u2013 Persistence action_persistence["<b>Action</b> – Persistence Setup"] class action_persistence action task_scheduled["<b>Technique</b> – T1053 Scheduled Task"] class task_scheduled technique script_gservices["<b>File</b> – <b>Name</b>: GServices.vbs<br/><b>Purpose</b>: Repeat execution"] class script_gservices file %% Nodes u2013 Command and Control action_c2["<b>Action</b> – Command and Control"] class action_c2 action data_google_sheets["<b>Data Store</b> – Google Sheets<br/><b>Technique</b>: T1102.002 Web Service: Spread Sheet"] class data_google_sheets data protocol_https["<b>Protocol</b> – HTTPS<br/><b>Technique</b>: T1071.001 Web Protocols"] class protocol_https protocol technique_dead_drop["<b>Technique</b> – T1102.001 Dead Drop Resolver"] class technique_dead_drop technique backup_firebase["<b>Data Store</b> – Firebase URL<br/><b>Fallback</b>: C2 channel"] class backup_firebase data backup_gcs["<b>Data Store</b> – Google Cloud Storage<br/><b>Fallback</b>: C2 channel"] class backup_gcs data encryption_tripledes["<b>Technique</b> – T1027 Obfuscated/Encrypted File or Information (TripleDES)"] class encryption_tripledes technique encryption_channel["<b>Technique</b> – T1573 Encrypted Channel"] class encryption_channel technique %% Nodes u2013 Discovery action_discovery["<b>Action</b> – Discovery"] class action_discovery action command_whoami["<b>Command</b> – whoami<br/><b>Technique</b>: T1033 System Owner/User Discovery"] class command_whoami technique command_enum_domains["<b>Command</b> – Enumerate domain accounts<br/><b>Technique</b>: T1087.002 Domain Account"] class command_enum_domains technique %% Nodes u2013 Execution of Commands action_execution["<b>Action</b> – Execute Received Commands"] class action_execution action %% Nodes u2013 Cloud Account Creation cloud_account_creation["<b>Action</b> – Create Google Cloud Account<br/><b>Technique</b>: T1136.003 Cloud Account"] class cloud_account_creation action %% Nodes u2013 Defense Evasion action_defense_evasion["<b>Action</b> – Defense Evasion"] class action_defense_evasion action technique_hidden_fs["<b>Technique</b> – T1564.005 Hidden Files and Directories"] class technique_hidden_fs technique %% Connections u2013 Flow action_phishing –>|delivers| file_phishing_pdf file_phishing_pdf –>|contains link to| file_malicious_lnk file_malicious_lnk –>|executes| process_powershell process_powershell –>|loads via reflection| file_dotnet_assembly file_dotnet_assembly –>|spawns| process_hidden_cmd process_hidden_cmd –>|enables| action_persistence action_persistence –>|creates| task_scheduled action_persistence –>|runs| script_gservices action_persistence –>|communicates with| action_c2 action_c2 –>|uses| data_google_sheets data_google_sheets –>|over| protocol_https action_c2 –>|employs| technique_dead_drop action_c2 –>|fallback to| backup_firebase action_c2 –>|fallback to| backup_gcs action_c2 –>|encrypts traffic via| encryption_tripledes action_c2 –>|establishes| encryption_channel action_c2 –>|issues| action_discovery action_discovery –>|runs| command_whoami action_discovery –>|runs| command_enum_domains action_c2 –>|receives commands for| action_execution action_execution –>|executes via PowerShell| process_powershell action_execution –>|executes via hidden cmd| process_hidden_cmd action_c2 –>|requires| cloud_account_creation cloud_account_creation –>|provides infrastructure for| data_google_sheets cloud_account_creation –>|provides infrastructure for| backup_firebase cloud_account_creation –>|provides infrastructure for| backup_gcs action_execution –>|uses| action_defense_evasion action_defense_evasion –>|applies| technique_hidden_fs "
Attack Flow
Detections
Download or Upload via Powershell (via cmdline)
View
Microsoft Graph API Domain Resolved By Unusual Process (via dns_query)
View
Suspicious Files in Public User Profile (via file_event)
View
Suspicious GNU Wget Execution Attempt (via cmdline)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
Suspicious Extracted Files from an Archive (via file_event)
View
IOCs (SourceIP) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (HashMd5) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (DestinationIP) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (HashSha1) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (HashSha256) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
Detection of PowerShell Commands for SHEETCREEP and FIREPOWER Backdoor Deployment [Windows Powershell]
View
Detection of SHEETCREEP and FIREPOWER Backdoor C2 Communication [Windows Network Connection]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
- Stage the malicious PNG:
- The attacker creates a PNG file (
details.png) that actually contains a compiled .NET assembly byte stream, but with its bytes reversed to evade static analysis.
- The attacker creates a PNG file (
- Launch PowerShell in hidden mode to load the assembly:
- The attacker runs PowerShell with
-WindowStyle Hidden -Commandand a one‑liner that reads the reversed bytes, restores the correct order, loads the assembly via[System.Reflection.Assembly]::Load(), and invokes a known entry point (Task10.Program::MB()).
- The attacker runs PowerShell with
- Alternative LNK‑based fire‑power deployment:
- A crafted
.lnkshortcut executespowershell.exewith--headless -e(encoded script) to fetch and run a remote PowerShell backdoor.
- A crafted
These steps exactly match the strings the Sigma rule is looking for, ensuring the alert fires.
- Stage the malicious PNG:
-
Regression Test Script:
# ------------------------------------------------- # SHEETCREEP payload simulation – reproduces the exact command line # ------------------------------------------------- # 1. Create a dummy .NET assembly (simple C# hello world) and compile it $source = @" using System; public class Task10 { public static void MB() { Console.WriteLine("Payload executed"); } } "@ $tempDir = "$env:TEMPsheetcreep" New-Item -ItemType Directory -Force -Path $tempDir | Out-Null $csFile = Join-Path $tempDir "Task10.cs" $dllFile = Join-Path $tempDir "Task10.dll" $source | Set-Content -Path $csFile -Encoding UTF8 # Compile using csc (assumes .NET Framework SDK installed) $cscPath = "$env:WINDIRMicrosoft.NETFramework64v4.0.30319csc.exe" & $cscPath /target:library /out:$dllFile $csFile # 2. Read the DLL bytes, reverse them, and write to a .png file $bytes = [IO.File]::ReadAllBytes($dllFile) $revBytes = $bytes[($bytes.Length-1)..0] $pngPath = Join-Path $tempDir "details.png" [IO.File]::WriteAllBytes($pngPath, $revBytes) # 3. Execute the exact malicious PowerShell command line (this will fire the rule) $maliciousCmd = '-WindowStyle Hidden -Command "$b=[IO.File]::ReadAllBytes(''details.png'');' + '([System.Reflection.Assembly]::Load([byte[]]($b[($b.Length-1)..0])).GetType("Task10.Program")::MB())"' Start-Process -FilePath "$env:SystemRootSystem32WindowsPowerShellv1.0powershell.exe" ` -ArgumentList $maliciousCmd ` -WindowStyle Hidden ` -NoNewWindow # Cleanup (optional, run after verification) # Remove-Item -Recurse -Force $tempDir -
Cleanup Commands:
# Remove temporary files and directories created for the test $tempDir = "$env:TEMPsheetcreep" if (Test-Path $tempDir) { Remove-Item -Recurse -Force $tempDir }