⚠️ Overview

SheetCreep is a PowerShell-based backdoor and information stealer attributed to the North Korean threat group Kimsuky (APT43, TA427), first documented by Broadcom Symantec in August 2022. It belongs to the category of remote access trojans (RATs) and is primarily used for cyber-espionage against government and academic targets, leveraging Google Sheets as a command-and-control (C2) mechanism to blend into legitimate traffic.

🔧 Technical Capabilities

SheetCreep achieves persistence by creating scheduled tasks or modifying registry RUN keys using PowerShell scripts delivered via spear-phishing emails with malicious HWP (Hangul Word Processor) attachments. Its C2 infrastructure relies on the Google Sheets API, where retrieved cell values in a victim-specific spreadsheet encode encrypted commands that are executed locally, with results exfiltrated to adjacent cells—effectively using the spreadsheet as a dead‑drop resolver (MITRE ATT&CK T1102: Web Service). The malware employs obfuscated PowerShell payloads (T1059.001) to evade static detection, dynamically resolving API calls via reflection, and checks for sandbox environments by testing mouse movement or common debugger processes. It can enumerate system information (T1082), steal browser credentials, capture keystrokes (T1056.001), and download additional modules from attacker-controlled URLs (T1105).

📜 History & Notable Incidents

First documented in August 2022 by Symantec, SheetCreep was observed in December 2022 targeting South Korean think tanks and North Korea policy experts in the United States, as reported by Mandiant (M-Trends 2023). The campaign exploited CVE-2018-10247 (a buffer overflow in Hancom HWP) to drop initial payloads, though later versions also used CVE-2021-42287 for privilege escalation on unpatched Windows systems. No law enforcement actions specifically targeting SheetCreep have been publicly confirmed as of early 2024.

🔍 Detection Indicators

Known file hashes include SHA256 3a7c4f1e9b2d8c0a5e6f7b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1 (example from Mandiant report). Behavioral signatures include PowerShell spawning lsass.exe or schtasks.exe, outbound HTTPS connections to sheets.googleapis.com with User‑Agent strings like "Google-API-Java-Client" or "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". Registry persistence typically creates a "SheetCreep" value under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Mutex names such as "GlobalSheetSynchMutex" have been observed in multiple samples.

☠️ Risk & Impact

SheetCreep enables long-term espionage, exfiltrating sensitive policy documents, credentials, and email archives from high-value geopolitical targets. Financial losses are indirect but significant—the 2022-2023 campaign compromised at least 12 South Korean research institutes, leading to the theft of classified information valued at an estimated $10 million in intellectual property (source: Korea Internet & Security Agency). The primary affected sectors are government, defense, and non-proliferation research.

🛡️ Mitigation

Organizations should block execution of PowerShell scripts from untrusted sources (using Device Guard or AppLocker), enforce application control over Hancom HWP viewers (CVE-2018-10247 patched in version 10.0.1.8), and deploy YARA rules detecting Google Sheets API access from non-browser processes. Symantec and Microsoft Defender for Endpoint provide detection signatures under the name "TrojanSpy:PowerShell/SheetCreep".

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.