Seguir
Detection stack
- AIDR
- Alert
- ETL
- Query
Resumo
O relatório cobre a operação Sheet Attack, que implantou três backdoors sob medida—SHEETCREEP, FIREPOWER, e MAILCREEP—para comprometer organizações governamentais indianas. Os implantes confiaram em plataformas de nuvem legítimas para comando-e-controle, incluindo Google Sheets, Firebase Realtime Database, e Microsoft Graph API, ajudando a atividade a se misturar ao tráfego normal de SaaS. A análise também observa artefatos consistentes com desenvolvedores utilizando IA gerativa para auxiliar na produção de código. A campanha é avaliada como provavelmente ligada a um subgrupo baseado no Paquistão do APT36.
Investigação
A ThreatLabz conduziu análises dinâmicas e estáticas dos backdoors, documentando métodos de persistência, fluxos de trabalho C2 e comportamento de exfiltração de dados. A equipe também mapeou a infraestrutura de suporte, observou filtragem baseada em geografia e User-Agent, e capturou indicadores a nível de código que sugerem geração de código assistida por IA.
Mitigação
Implemente detecções em camadas para cadeias de entrega suspeitas de PDF/LNK e monitore tarefas agendadas que iniciam execuções de PowerShell ou VBS. Aplique controles rigorosos de saída e monitoramento de anomalias para serviços de nuvem comumente abusados como C2, incluindo Google Sheets, Firebase e Microsoft Graph. Use bloqueio baseado em hash para payloads conhecidos e bloqueie domínios e endereços IP maliciosos identificados.
Resposta
Quando detectado, isole o ponto de extremidade, termine a atividade oculta de cmd.exe e PowerShell, remova as tarefas agendadas relacionadas e exclua os binários do backdoor. Preserve e revise logs de C2 baseados no Google Sheets e artefatos do Firebase, e então busque outros hosts no ambiente exibindo os mesmos indicadores.
graph TB %% Class definitions classDef action fill:#99ccff classDef process fill:#ffdd99 classDef file fill:#ffcccc classDef data fill:#e6e6ff classDef protocol fill:#d9ead3 classDef technique fill:#ffd966 %% Nodes – Initial Access action_phishing[“<b>Ação</b> – <b>T1204.001 Execução do Usuário: Link Malicioso</b><br/>A vítima clica em um link malicioso dentro de um PDF”] class action_phishing action file_phishing_pdf[“<b>Arquivo</b> – <b>Nome</b>: PDF de phishing<br/><b>Técnica</b>: T1204.001”] class file_phishing_pdf file file_malicious_lnk[“<b>Arquivo</b> – <b>Nome</b>: LNK malicioso<br/><b>Técnica</b>: T1204.002 Execução do Usuário: Arquivo Malicioso”] class file_malicious_lnk file process_powershell[“<b>Processo</b> – <b>Nome</b>: PowerShell<br/><b>Técnica</b>: T1059.001 Interpretador de Comandos e Scripts”] class process_powershell process file_dotnet_assembly[“<b>Arquivo</b> – <b>Nome</b>: Assembly .NET disfarçado como PNG<br/><b>Técnicas</b>: T1620 Carregamento Reflexivo de Código, T1036.008 Disfarce de Tipo de Arquivo”] class file_dotnet_assembly file process_hidden_cmd[“<b>Processo</b> – <b>Nome</b>: cmd.exe oculto<br/><b>Técnica</b>: T1059.003 Shell de Comando”] class process_hidden_cmd process %% Nodes – Persistence action_persistence[“<b>Ação</b> – Configuração de Persistência”] class action_persistence action task_scheduled[“<b>Técnica</b> – T1053 Tarefa Agendada”] class task_scheduled technique script_gservices[“<b>Arquivo</b> – <b>Nome</b>: GServices.vbs<br/><b>Propósito</b>: Execução recorrente”] class script_gservices file %% Nodes – Command and Control action_c2[“<b>Ação</b> – Comando e Controle”] class action_c2 action data_google_sheets[“<b>Armazenamento de Dados</b> – Google Sheets<br/><b>Técnica</b>: T1102.002 Serviço Web: Planilha”] class data_google_sheets data protocol_https[“<b>Protocolo</b> – HTTPS<br/><b>Técnica</b>: T1071.001 Protocolos Web”] class protocol_https protocol technique_dead_drop[“<b>Técnica</b> – T1102.001 Dead Drop Resolver”] class technique_dead_drop technique backup_firebase[“<b>Armazenamento de Dados</b> – URL Firebase<br/><b>Fallback</b>: Canal C2”] class backup_firebase data backup_gcs[“<b>Armazenamento de Dados</b> – Google Cloud Storage<br/><b>Fallback</b>: Canal C2”] class backup_gcs data encryption_tripledes[“<b>Técnica</b> – T1027 Arquivo ou Informação Ofuscada/Criptografada (TripleDES)”] class encryption_tripledes technique encryption_channel[“<b>Técnica</b> – T1573 Canal Criptografado”] class encryption_channel technique %% Nodes – Discovery action_discovery[“<b>Ação</b> – Descoberta”] class action_discovery action command_whoami[“<b>Comando</b> – whoami<br/><b>Técnica</b>: T1033 Descoberta do Usuário do Sistema”] class command_whoami technique command_enum_domains[“<b>Comando</b> – Enumerar contas de domínio<br/><b>Técnica</b>: T1087.002 Conta de Domínio”] class command_enum_domains technique %% Nodes – Execution of Commands action_execution[“<b>Ação</b> – Executar Comandos Recebidos”] class action_execution action %% Nodes – Cloud Account Creation cloud_account_creation[“<b>Ação</b> – Criar Conta Google Cloud<br/><b>Técnica</b>: T1136.003 Conta na Nuvem”] class cloud_account_creation action %% Nodes – Defense Evasion action_defense_evasion[“<b>Ação</b> – Evasão de Defesa”] class action_defense_evasion action technique_hidden_fs[“<b>Técnica</b> – T1564.005 Arquivos e Diretórios Ocultos”] class technique_hidden_fs technique %% Connections – Flow action_phishing –>|entrega| file_phishing_pdf file_phishing_pdf –>|contém link para| file_malicious_lnk file_malicious_lnk –>|executa| process_powershell process_powershell –>|carrega via reflexão| file_dotnet_assembly file_dotnet_assembly –>|gera| process_hidden_cmd process_hidden_cmd –>|habilita| action_persistence action_persistence –>|cria| task_scheduled action_persistence –>|executa| script_gservices action_persistence –>|comunica-se com| action_c2 action_c2 –>|usa| data_google_sheets data_google_sheets –>|via| protocol_https action_c2 –>|emprega| technique_dead_drop action_c2 –>|fallback para| backup_firebase action_c2 –>|fallback para| backup_gcs action_c2 –>|criptografa tráfego via| encryption_tripledes action_c2 –>|estabelece| encryption_channel action_c2 –>|emite| action_discovery action_discovery –>|executa| command_whoami action_discovery –>|executa| command_enum_domains action_c2 –>|recebe comandos para| action_execution action_execution –>|executa via PowerShell| process_powershell action_execution –>|executa via cmd oculto| process_hidden_cmd action_c2 –>|requer| cloud_account_creation cloud_account_creation –>|fornece infraestrutura para| data_google_sheets cloud_account_creation –>|fornece infraestrutura para| backup_firebase cloud_account_creation –>|fornece infraestrutura para| backup_gcs action_execution –>|usa| action_defense_evasion action_defense_evasion –>|aplica| technique_hidden_fs
Attack Flow
Detections
Download or Upload via Powershell (via cmdline)
View
Microsoft Graph API Domain Resolved By Unusual Process (via dns_query)
View
Suspicious Files in Public User Profile (via file_event)
View
Suspicious GNU Wget Execution Attempt (via cmdline)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
Suspicious Extracted Files from an Archive (via file_event)
View
IOCs (SourceIP) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (HashMd5) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (DestinationIP) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (HashSha1) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (HashSha256) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
Detection of PowerShell Commands for SHEETCREEP and FIREPOWER Backdoor Deployment [Windows Powershell]
View
Detection of SHEETCREEP and FIREPOWER Backdoor C2 Communication [Windows Network Connection]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
- Stage the malicious PNG:
- The attacker creates a PNG file (
details.png) that actually contains a compiled .NET assembly byte stream, but with its bytes reversed to evade static analysis.
- The attacker creates a PNG file (
- Launch PowerShell in hidden mode to load the assembly:
- The attacker runs PowerShell with
-WindowStyle Hidden -Commandand a one‑liner that reads the reversed bytes, restores the correct order, loads the assembly via[System.Reflection.Assembly]::Load(), and invokes a known entry point (Task10.Program::MB()).
- The attacker runs PowerShell with
- Alternative LNK‑based fire‑power deployment:
- A crafted
.lnkshortcut executespowershell.exewith--headless -e(encoded script) to fetch and run a remote PowerShell backdoor.
- A crafted
These steps exactly match the strings the Sigma rule is looking for, ensuring the alert fires.
- Stage the malicious PNG:
-
Regression Test Script:
# ------------------------------------------------- # SHEETCREEP payload simulation – reproduces the exact command line # ------------------------------------------------- # 1. Create a dummy .NET assembly (simple C# hello world) and compile it $source = @" using System; public class Task10 { public static void MB() { Console.WriteLine("Payload executed"); } } "@ $tempDir = "$env:TEMPsheetcreep" New-Item -ItemType Directory -Force -Path $tempDir | Out-Null $csFile = Join-Path $tempDir "Task10.cs" $dllFile = Join-Path $tempDir "Task10.dll" $source | Set-Content -Path $csFile -Encoding UTF8 # Compile using csc (assumes .NET Framework SDK installed) $cscPath = "$env:WINDIRMicrosoft.NETFramework64v4.0.30319csc.exe" & $cscPath /target:library /out:$dllFile $csFile # 2. Read the DLL bytes, reverse them, and write to a .png file $bytes = [IO.File]::ReadAllBytes($dllFile) $revBytes = $bytes[($bytes.Length-1)..0] $pngPath = Join-Path $tempDir "details.png" [IO.File]::WriteAllBytes($pngPath, $revBytes) # 3. Execute the exact malicious PowerShell command line (this will fire the rule) $maliciousCmd = '-WindowStyle Hidden -Command "$b=[IO.File]::ReadAllBytes(''details.png'');' + '([System.Reflection.Assembly]::Load([byte[]]($b[($b.Length-1)..0])).GetType("Task10.Program")::MB())"' Start-Process -FilePath "$env:SystemRootSystem32WindowsPowerShellv1.0powershell.exe" ` -ArgumentList $maliciousCmd ` -WindowStyle Hidden ` -NoNewWindow # Cleanup (optional, run after verification) # Remove-Item -Recurse -Force $tempDir -
Cleanup Commands:
# Remove temporary files and directories created for the test $tempDir = "$env:TEMPsheetcreep" if (Test-Path $tempDir) { Remove-Item -Recurse -Force $tempDir }