SHEETCREEP Espionage Campaign Uses UAE-India Lure for RAT Deployment

The SHEETCREEP espionage campaign employs a UAE-India diplomatic-themed ISO file to deliver a C# remote access trojan (RAT) via Google Sheets as its command-and-control channel. The ISO file, named UAE-India_Strategic_Partnership_Week.iso, contains a LNK file that launches a dropper, which extracts a decoy PDF and installs the RAT in a hidden location. The RAT utilizes Google Sheets API for command execution, creating unique tabs for each victim. Researchers identified 91 active victim tabs, including targets in Islamabad, Pakistan. The malware has evolved to include anti-analysis techniques and obfuscation methods to evade detection. Network telemetry shows communication with Google API endpoints, complicating detection efforts. The campaign highlights a significant threat to organizations in the region and beyond.

Key Points: • SHEETCREEP uses a UAE-India diplomatic lure to deliver a RAT via Google Sheets. • The malware employs advanced evasion techniques, complicating detection and analysis. • 91 active victim tabs were identified, indicating a broad scope of impact.