SHEETCREEP: Pakistan's Custom Malware with Fatal Security Flaw

In a striking example of operational security failure, researchers have uncovered a sophisticated custom malware allegedly developed by the Pakistani government to target high-profile Indian military and political personnel. The malware, named SHEETCREEP, represents an innovative approach to cyber espionage but ultimately undermined itself through a critical security oversight.

Discovery of SHEETCREEP

The cybersecurity community recently brought attention to SHEETCREEP, a custom-built malware that appears to be part of a state-sponsored cyber operation against India. The malware was discovered during the UAE-India Strategic Partnership Week, suggesting potential timing or relevance to diplomatic events between the two nations.

Researchers from Securonix, a leading cybersecurity firm, identified the malware after analyzing suspicious files sent to Indian targets. The investigation revealed a sophisticated operation with significant technical capabilities, ultimately marred by a fundamental mistake in operational security.

Technical Architecture of SHEETCREEP

SHEETCREEP employs a multi-stage infection process that begins with a malicious .lnk (shortcut) file. When executed, this shortcut launches malicious C# code that establishes persistence on the victim's system. The malware then proceeds to exfiltrate sensitive data to a Google Sheets document, which serves as a command and control (C2) server.

The use of Google Sheets as a C2 server represents an innovative approach that leverages legitimate cloud services for malicious purposes. This technique allows the operators to maintain communication with infected systems while potentially evading traditional security measures that might flag dedicated servers or infrastructure.

Feature	Description
Delivery Method	Malicious .lnk files sent to targets
Execution	Malicious C# code executed via shortcut
Persistence	Multiple mechanisms to maintain access
Data Exfiltration	Sent to Google Sheets document
C2 Communication	Google Sheets used as command and control server

The Critical Security Flaw

Despite its technical sophistication, SHEETCREEP contains a critical security oversight that ultimately led to its discovery and exposure. The Pakistani government allegedly hardcoded the Google Sheets C2 server URL and access key directly into the malware payload.

This operational security mistake is particularly egregious in the context of state-sponsored cyber operations. Proper operational security practices would require the use of dynamic or encrypted configurations that could be changed without modifying the malware itself. Hardcoded credentials essentially provide researchers with a roadmap to the entire operation.

Why Hardcoding Credentials is a Critical Error

• Allows researchers to identify the C2 infrastructure
• Reveals the specific Google Sheets document being used
• Provides the access key needed to control infected systems
• Exposes the entire list of targets and operations
• Makes it impossible to change infrastructure without redeploying malware

Discovery and Analysis

Security researchers who obtained samples of SHEETCREEP immediately recognized the significance of the hardcoded credentials. By examining these embedded details, they were able to access the Google Sheets document that served as the C2 server for the malware.

The document contained a treasure trove of information about the operation, including:

• The complete list of targeted individuals and organizations
• Details about the infection campaign
• Communication patterns between infected systems and operators
• Exfiltrated data from compromised systems

Researchers discovered that the Pakistani government was monitoring 91 individuals they deemed important, primarily military and political personnel in India. This list provides concrete evidence of a coordinated cyber espionage operation targeting specific high-value individuals.

Discovery Component	Significance
Hardcoded Google Sheets URL	Identified the C2 server infrastructure
Embedded Access Key	Provided credentials to access C2 server
Target List	Revealed 91 monitored individuals
Operation Details	Showed scope and objectives of the campaign

Implications and Lessons

The SHEETCREEP incident serves as a cautionary tale about the importance of operational security in cyber operations. Despite developing a technically sophisticated malware, the operators failed to implement basic security practices that could have protected their operation.

The incident also highlights the growing trend of state-sponsored actors leveraging legitimate cloud services for malicious purposes. By using Google Sheets as a C2 server, the operators attempted to blend their activities with normal cloud usage, potentially making detection more difficult.

For cybersecurity professionals, the SHEETCREEP case offers valuable insights into the tactics, techniques, and procedures (TTPs) used by state-sponsored actors. Understanding these methods helps organizations develop better defenses against similar threats.

Conclusion

SHEETCREEP represents both technical innovation and operational failure in the realm of state-sponsored cyber operations. The malware's use of Google Sheets as a C2 server demonstrates creative problem-solving, but the hardcoded credentials reveal a fundamental misunderstanding of operational security.

As researchers continue to analyze the malware and its associated infrastructure, the full extent of the operation may become clearer. In the meantime, the SHEETCREEP incident stands as a reminder that even the most sophisticated cyber operations can be undone by basic security oversights.

For organizations and individuals in potential crosshairs of state-sponsored actors, the incident underscores the importance of robust cybersecurity measures, including email security, endpoint protection, and user awareness training to detect and prevent such sophisticated attacks.

> be pakistan government > develop custom malware > used to target high profile targets > used against indian military and political ppl > named SHEETCREEP > send indian ppl file > UAE-India Strategic Partnership Week > malicious .lnk file > .lnk executes malicious c sharp code > does a bunch of stuff for persistence > exfiltrates data to Google Sheets > Google Sheets can be used to control victim pcs > pakistan gov hardcodes google c2 sheet > PAKISTAN GOV HARDCODES GOOGLE C2 SHEET > embed access key in payload > EMBED ACCESS KEY IN PAYLOAD > malware nerds find it > look inside > find all targets from pakistan gov > monitoring 91 ppl they think important THEY STARTED SO STRONG. WHY DID YOU HARDCODE EVERYTHING. YOU BURNED YOUR OPERATION https://www.securonix.com/blog/sheetcreep-evolved-google-sheets-rat/ > be pakistan government > develop custom malware > used to target high profile targets > used against indian military and political ppl > named SHEETCREEP > send indian ppl file > UAE-India Strategic Partnership Week > malicious .lnk file > .lnk executes malicious c sharp code > does a bunch of stuff for persistence > exfiltrates data to Google Sheets > Google Sheets can be used to control victim pcs > pakistan gov hardcodes google c2 sheet > PAKISTAN GOV HARDCODES GOOGLE C2 SHEET > embed access key in payload > EMBED ACCESS KEY IN PAYLOAD > malware nerds find it > look inside > find all targets from pakistan gov > monitoring 91 ppl they think important THEY STARTED SO STRONG. WHY DID YOU HARDCODE EVERYTHING. YOU BURNED YOUR OPERATION https://www.securonix.com/blog/sheetcreep-evolved-google-sheets-rat/