A newly identified remote access trojan (RAT) named SHEETCREEP is leveraging Google Sheets as a covert command-and-control (C2) channel to infiltrate diplomatic organizations. This C#-based malware employs sophisticated social engineering tactics and advanced evasion techniques to compromise targeted systems.
The attack initiates with a phishing email masquerading as an official document related to the “UAE-India Strategic Partnership Week.” The email contains an ISO file housing a shortcut that appears to be a PDF. When executed, this shortcut deploys the malicious dropper, exploiting the trust associated with government-themed communications.
Upon execution, SHEETCREEP installs itself as ‘vaultsvc.exe’ within the legitimate Windows Credential Vault directory. Despite its compact size of approximately 20 KB, the RAT is fully capable of executing commands, collecting data, and transmitting information back to the attackers via Google Sheets. It generates a unique identifier for each victim by combining the username, machine name, and a four-character hash, which it uses to create a dedicated tab in the attacker’s Google Sheet.
Communication between the infected system and the attacker occurs through the Google Sheets API over HTTPS, making the traffic indistinguishable from regular Google Workspace activity. Commands are inserted into one column of the spreadsheet, and responses are recorded in another, with all data encoded in Base64. To further obfuscate its operations, the C2 configuration strings, including the spreadsheet ID and service account email, are XOR-encrypted with the key “discrete” and decrypted only at runtime, complicating static analysis efforts.
Security researchers have identified 91 active victim tabs within the attacker’s Google Sheet, with 17 potential real targets operating on physical hardware. Notably, a high-confidence target was confirmed in Islamabad, Pakistan, indicating the malware’s deep penetration into its victim network.
Analysts attribute this campaign to APT36, also known as Transparent Tribe, a Pakistan-aligned group with a history of targeting Indian government and military institutions. The current iteration of SHEETCREEP demonstrates significant advancements over previous versions, including the replacement of plaintext configuration settings with XOR-encrypted strings decoded only at runtime, enhancing its stealth capabilities.
The use of trusted platforms like Google Sheets for C2 communication underscores a growing trend among threat actors to exploit legitimate services to evade detection. This tactic not only complicates the identification of malicious activity but also challenges traditional security measures that rely on recognizing suspicious network traffic.
Organizations, particularly those in the diplomatic sector, must remain vigilant against such sophisticated threats. Implementing robust email filtering, educating staff on recognizing phishing attempts, and monitoring for unusual API activity are crucial steps in mitigating the risk posed by advanced malware like SHEETCREEP.
The evolution of SHEETCREEP highlights the persistent and adaptive nature of cyber threats. As attackers continue to refine their methods, leveraging legitimate services to mask their activities, it becomes imperative for security strategies to evolve in tandem. Continuous monitoring, threat intelligence sharing, and proactive defense mechanisms are essential in staying ahead of such sophisticated adversaries.
