SHEETCREEP: How Pakistani Government's Custom Malware Operation Collapsed Due to Critical Security Flaw

Introduction

In the ever-evolving landscape of cyber warfare, state-sponsored operations often represent the pinnacle of sophistication and stealth. However, a recently discovered malware campaign dubbed SHEETCREEP has revealed a stark contrast to this expectation, allegedly developed by the Pakistani government to target high-profile Indian military and political personnel. What makes this operation particularly noteworthy is not just its ambition, but the critical operational security failure that led to its complete exposure.

The SHEETCREEP operation, discovered by security researchers at Securonix, represents an interesting case study in cyber warfare tactics, highlighting both the innovative use of common platforms for command and control (C2) and the catastrophic consequences of basic operational security mistakes.

Overview of the SHEETCREEP Operation

SHEETCREEP is a custom malware campaign allegedly orchestrated by Pakistani government entities to monitor and exfiltrate data from Indian targets. The operation appears to have been timed to coincide with the UAE-India Strategic Partnership Week, suggesting a possible attempt to gather intelligence during this significant diplomatic event.

The campaign targeted 91 individuals deemed important by the Pakistani government, including military personnel and political figures in India. The operation demonstrates a clear strategic focus on intelligence gathering within the Indian government and military apparatus.

Table: SHEETCREEP Operation Overview

Attribute	Details
Malware Name	SHEETCREEP
Alleged Developer	Pakistani Government
Primary Targets	Indian Military and Political Personnel
Number of Targets	91 individuals
Timing	UAE-India Strategic Partnership Week

Technical Analysis of the SHEETCREEP Malware

The technical execution of SHEETCREEP reveals a multi-stage infection process with several components working in tandem. The initial delivery mechanism involves a malicious .lnk (shortcut) file, a common vector in spear-phishing campaigns. When executed, this shortcut file launches malicious C# code, taking advantage of Windows' built-in capabilities to execute .NET assemblies.

Once executed, the malware establishes persistence on the victim's system through several methods. This ensures the malware remains active across system reboots and maintains a long-term presence on the compromised machine. The persistence mechanisms include registry modifications and scheduled task creation, standard techniques in the malware development playbook.

The most innovative aspect of SHEETCREEP is its use of Google Sheets as a command and control (C2) server. This approach allows the operators to leverage a legitimate, widely-used platform for communication with compromised systems, potentially making detection more difficult as the traffic appears benign.

Table: SHEETCREEP Technical Components

Component	Function	Technical Details
Initial Delivery	Malicious .lnk file	Shortcut file that executes C# code
Persistence	System-level persistence	Registry modifications, scheduled tasks
C2 Communication	Data exfiltration and command reception	Google Sheets as C2 server
Data Exfiltration	Stolen data transfer	Exfiltrated to Google Sheets

The Targeting Strategy

The SHEETCREEP operation demonstrates a focused targeting approach, concentrating on individuals with access to sensitive information within the Indian government and military. The selection of 91 targets suggests a prioritized list based on the perceived value of the intelligence that could be gathered from each individual.

The timing of the operation during the UAE-India Strategic Partnership Week indicates a possible attempt to gather intelligence during a period of heightened diplomatic activity between India and the United Arab Emirates. This timing could provide valuable insights into diplomatic positions and potentially sensitive discussions.

The use of a spear-phishing approach with malicious .lnk files suggests that the attackers had some level of knowledge about their targets, enabling them to craft convincing lures that would likely be opened by the recipients. This level of targeting sophistication indicates a well-planned intelligence gathering operation.

The Critical Operational Security Failure

Despite the innovative use of Google Sheets as a C2 platform, the SHEETCREEP operation was undermined by a critical operational security mistake: the Pakistani government hardcoded the Google C2 sheet and embedded access keys directly in the malware payload.

This error represents a fundamental violation of operational security principles in cyber warfare. By hardcoding these credentials, the operators ensured that if the malware was ever discovered and analyzed, security researchers would immediately gain access to the entire command infrastructure, including the list of all targets and the data exfiltrated from them.

When security researchers discovered the malware and examined its code, they found the hardcoded access keys to the Google Sheets C2 server. This allowed them to access the complete database of targets, the scope of the operation, and potentially the data that had been exfiltrated from compromised systems.

Table: Operational Security Failures in SHEETCREEP

Security Failure	Impact	Best Practice Alternative
Hardcoded C2 sheet URL	Complete exposure of C2 infrastructure	Dynamic C2 resolution or encrypted configuration
Embedded access keys	Unauthorized access to all victim data	Key derivation from external factors or encrypted storage
Lack of encryption for C2 credentials	Easy discovery of all targets and operation details	Strong encryption of all sensitive configuration data

Implications and Aftermath

The exposure of the SHEETCREEP operation has significant implications for both cybersecurity and geopolitical relations. For the Pakistani government, the complete compromise of their operation represents a major intelligence failure, potentially compromising their surveillance capabilities and exposing their methods.

For the 91 targeted individuals, the revelation that they were being monitored by a foreign government raises serious concerns about data security and privacy. While it's unclear how many of these targets were actually compromised, the knowledge of being targeted could lead to increased security measures and changes in communication practices.

The operation also highlights the increasing trend of state-sponsored actors using common platforms like Google Sheets for C2 purposes. This approach allows attackers to blend in with legitimate traffic and potentially bypass security measures that might flag communications to unknown servers.

Expert Commentary

Cybersecurity experts have noted that while the technical implementation of SHEETCREEP shows some creativity, the operational security failures represent a beginner's mistake in the world of advanced persistent threats (APTs).

"The use of Google Sheets as a C2 server is an interesting tactic that demonstrates thinking outside the traditional malware playbook," noted one security researcher who analyzed the malware. "However, the hardcoded credentials represent a catastrophic failure in operational security that completely undermines any technical sophistication the malware might have otherwise demonstrated."

Other experts have suggested that the error may indicate either rushed development or a lack of proper security protocols within the development team responsible for the malware.

Protection Measures

For organizations and individuals potentially targeted by similar operations, security experts recommend several protective measures:

• Email Security: Implement advanced email filtering to detect and block malicious .lnk files and other suspicious attachments.
• User Education: Train users to recognize and avoid suspicious emails and attachments, particularly those related to current events or diplomatic activities.
• Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying and blocking suspicious behavior patterns.
• Network Monitoring: Monitor for unusual communications with legitimate platforms like Google Sheets that may indicate data exfiltration.
• Principle of Least Privilege: Restrict user permissions to minimize the potential damage from a successful compromise.

Conclusion

The SHEETCREEP operation serves as a cautionary tale in the world of cyber warfare, demonstrating that even well-funded state-sponsored operations can be completely undermined by basic operational security mistakes. The innovative use of Google Sheets as a C2 platform was overshadowed by the critical error of hardcoded credentials, leading to the complete exposure of the operation.

As state-sponsored cyber operations continue to evolve, we can expect to see both increasingly sophisticated techniques and occasional lapses in security that lead to their exposure. The SHEETCREEP case reminds us that in the realm of cyber warfare, technical sophistication alone is not enough—operational security remains paramount.

For the cybersecurity community, the analysis of SHEETCREEP provides valuable insights into the tactics, techniques, and procedures (TTPs) used by state-sponsored actors, helping to develop better defensive measures against similar operations in the future.

> be pakistan government > develop custom malware > used to target high profile targets > used against indian military and political ppl > named SHEETCREEP > send indian ppl file > UAE-India Strategic Partnership Week > malicious .lnk file > .lnk executes malicious c sharp code > does a bunch of stuff for persistence > exfiltrates data to Google Sheets > Google Sheets can be used to control victim pcs > pakistan gov hardcodes google c2 sheet > PAKISTAN GOV HARDCODES GOOGLE C2 SHEET > embed access key in payload > EMBED ACCESS KEY IN PAYLOAD > malware nerds find it > look inside > find all targets from pakistan gov > monitoring 91 ppl they think important THEY STARTED SO STRONG. WHY DID YOU HARDCODE EVERYTHING. YOU BURNED YOUR OPERATION https://www.securonix.com/blog/sheetcreep-evolved-google-sheets-rat/ > be pakistan government > develop custom malware > used to target high profile targets > used against indian military and political ppl > named SHEETCREEP > send indian ppl file > UAE-India Strategic Partnership Week > malicious .lnk file > .lnk executes malicious c sharp code > does a bunch of stuff for persistence > exfiltrates data to Google Sheets > Google Sheets can be used to control victim pcs > pakistan gov hardcodes google c2 sheet > PAKISTAN GOV HARDCODES GOOGLE C2 SHEET > embed access key in payload > EMBED ACCESS KEY IN PAYLOAD > malware nerds find it > look inside > find all targets from pakistan gov > monitoring 91 ppl they think important THEY STARTED SO STRONG. WHY DID YOU HARDCODE EVERYTHING. YOU BURNED YOUR OPERATION https://www.securonix.com/blog/sheetcreep-evolved-google-sheets-rat/