APT Attacks Target Indian Government Using SHEETCREEP, FIREPOWER, and MAILCREEP | Part 2

MITRE Techniques

• [T1583.001 ] Resource Development, Acquire Infrastructure: Domains – hciaccounts[.]in was acquired to serve the initial payload. ‘hciaccounts[.]in was acquired to serve the initial payload.’
• [T1583.006 ] Resource Development, Acquire Infrastructure: Web Services – Used Google Sheets, Firebase, and Google Cloud Storage for C2 and backup configurations. ‘The threat actor used Google Sheets as a C2 channel, and also used a Firebase URL and Google Cloud Storage URL to host backup configurations.’
• [T1585.003 ] Resource Development, Establish Accounts: Cloud Accounts – Created Google accounts to operate Google Sheets and Firebase-based C2. ‘The threat actor created Google accounts to use Google Sheets for C2 and Firebase/Google Cloud Storage for backup configurations.’
• [T1587.001 ] Resource Development, Develop Capabilities: Malware – Developed custom backdoors SHEETCREEP, FIREPOWER, and MAILCREEP. ‘The threat actor developed custom malware such as the SHEETCREEP .NET backdoor.’
• [T1588.007 ] Resource Development, Obtain Capabilities: Artificial Intelligence – Evidence of generative AI use in code (emojis, verbose AI-like comments). ‘The threat actor used generative AI tools during the development of the SHEETCREEP backdoor, as suggested by the use of emojis in its error-handling code.’
• [T1608.001 ] Resource Development, Stage Capabilities: Upload Malware – Staged a ZIP archive (Documents.zip) on a threat actor-controlled site for distribution. ‘The threat actor staged the initial payload by uploading a ZIP archive (Documents.zip) containing the SHEETCREEP backdoor to a threat actor-controlled site (hxxps[:]//hciaccounts[.]in/Documents.zip).’
• [T1566.002 ] Initial Access, Phishing: Spearphishing Link – PDFs contained a ‘Download Document’ button linking to the malicious ZIP payload. ‘The threat actor used phishing PDFs which contained a ‘Download Document’ button that linked to a malicious ZIP archive.’
• [T1059.001 ] Execution, Command and Scripting Interpreter: PowerShell – Malicious LNK executed a base64 PowerShell command to load and run a script from a C2 server. ‘a malicious LNK file executed a PowerShell command to read a file named details.png, reverse its bytes, and load it as a .NET assembly.’
• [T1059.003 ] Execution, Command and Scripting Interpreter: Windows Command Shell – SHEETCREEP executes commands via a hidden cmd.exe process. ‘The SHEETCREEP backdoor executes commands using a hidden cmd.exe process.’
• [T1129 ] Execution, Shared Modules – PowerShell used to load a malicious .NET DLL via reflection. ‘The threat actor used a PowerShell command to load a malicious .NET DLL using [System.Reflection.Assembly]::Load().’
• [T1204.001 ] Execution, User Execution: Malicious Link – User had to click the PDF ‘Download Document’ button to download the malicious ZIP. ‘The Sheet Attack campaign required a user to click a ‘Download Document’ button to download a malicious ZIP archive.’
• [T1204.002 ] Execution, User Execution: Malicious File – Victim executed a malicious LNK file to start the infection chain. ‘The victim was required to execute a malicious LNK file to initiate the infection chain.’
• [T1053.005 ] Persistence, Scheduled Task/Job: Scheduled Task – Dropped GServices.vbs and registered a scheduled task to persistently run SHEETCREEP. ‘The initial payload dropped a loader script, GServices.vbs, and registered it as a scheduled task to persistently execute the SHEETCREEP backdoor.’
• [T1140 ] Defense Evasion, Deobfuscate/Decode Files or Information – LNK reverses bytes to reconstruct and load a .NET assembly; SHEETCREEP uses TripleDES for config. ‘The initial LNK file reverses bytes to restore and load a .NET assembly. The SHEETCREEP backdoor uses TripleDES to encrypt its configuration.’
• [T1564.003 ] Defense Evasion, Hide Artifacts: Hidden Window – LNK executes PowerShell with -WindowStyle Hidden; SHEETCREEP creates a hidden cmd.exe. ‘The malicious LNK file uses the command powershell.exe -WindowStyle Hidden … The SHEETCREEP backdoor creates a hidden cmd.exe process in the background.’
• [T1036.008 ] Defense Evasion, Masquerading: Masquerade File Type – .NET binary disguised with a PNG extension (details.png). ‘The initial payload is a .NET binary disguised with a PNG extension.’
• [T1620 ] Defense Evasion, Reflective Code Loading – Used [System.Reflection.Assembly]::Load() to reflectively load the .NET assembly. ‘A malicious LNK file used [System.Reflection.Assembly]::Load() to reflectively load a .NET assembly.’
• [T1027.013 ] Defense Evasion, Obfuscated Files or Information: Encrypted/Encoded File – SHEETCREEP uses TripleDES to encrypt configuration. ‘The SHEETCREEP backdoor uses TripleDES to encrypt its configuration.’
• [T1027.015 ] Defense Evasion, Obfuscated Files or Information: Compression – Initial payload delivered as a ZIP archive (Document.zip). ‘The initial payload was delivered as a ZIP archive, Document.zip.’
• [T1033 ] Discovery, System Owner/User Discovery – Backdoor executed whoami and gathered user/domain info. ‘The threat actor executed the whoami command as part of post-compromise user reconnaissance activities.’
• [T1087.002 ] Discovery, Account Discovery: Domain Account – SHEETCREEP derived victim ID using domain and username (format ==). ‘The SHEETCREEP backdoor discovered the victim’s domain and username to generate a victim ID in the format ==.’
• [T1530 ] Collection, Data from Cloud Storage – SHEETCREEP retrieves backup configs from Firebase and Google Cloud Storage. ‘The SHEETCREEP backdoor contains code to retrieve backup configurations from a Firebase URL and a Google Cloud Storage URL.’
• [T1560.002 ] Collection, Archive Collected Data: Archive via Library – SHEETCREEP encrypts command output using .NET System.Security.Cryptography TripleDES. ‘The SHEETCREEP backdoor encrypts the output of executed commands using the TripleDES implementation from .NET’s System.Security.Cryptography library.’
• [T1071.001 ] Command and Control, Application Layer Protocol: Web Protocols – SHEETCREEP uses Google Sheets API over HTTPS for C2. ‘The SHEETCREEP backdoor uses the Google Sheets API over HTTPS for its C2.’
• [T1102.001 ] Command and Control, Web Service: Dead Drop Resolver – Backups hosted on Firebase and Google Cloud Storage used as alternate configuration sources. ‘The SHEETCREEP backdoor retrieved its C2 configuration from backups hosted on legitimate web services, such as Firebase and Google Cloud Storage.’
• [T1102.002 ] Command and Control, Web Service: Bidirectional Communication – Google Sheets used as a bidirectional C2 channel for commands and responses. ‘The SHEETCREEP backdoor uses Google Sheet as a bidirectional C2 channel.’
• [T1573.001 ] Command and Control, Encrypted Channel: Symmetric Cryptography – SHEETCREEP uses TripleDES to encrypt configs and commands. ‘The SHEETCREEP backdoor used TripleDES to encrypt its configuration, as well as commands sent and received from its C2.’
• [T1132.001 ] Command and Control, Data Encoding: Standard Encoding – Encrypted output is Base64-encoded before writing to Google Sheets. ‘The SHEETCREEP backdoor Base64-encoded the encrypted output from executed commands before writing the data to its Google Sheets C2.’
• [T1665 ] Command and Control, Hide Infrastructure – Payload server filtered requests by IP/geolocation and User-Agent to only deliver payloads to Indian Windows hosts. ‘The server hosting the malicious payloads would only respond to requests originating from IP addresses in India and having a User-Agent header indicating a Windows platform.’
• [T1008 ] Command and Control, Fallback Channels – SHEETCREEP uses backup configurations from Firebase and Google Cloud Storage if primary C2 fails. ‘The SHEETCREEP backdoor was designed to use backup configurations from a Firebase URL and a Google Cloud Storage URL if the primary C2 configuration fails.’