The attackers wrote instructions into spreadsheet cells and retrieved stolen knowledge from them the identical manner. The malware polled the sheet each second for brand spanking new directions, wrote standing updates again on process completion, and wiped the primary 1,000 rows initially of every session to erase traces of prior exercise, the weblog submit defined.
“This exercise shouldn’t be the results of a security vulnerability in Google’s merchandise; reasonably, it abuses professional Google Sheets API performance to disguise C2 visitors,” GTIG added.
“Essentially the most unsettling element concerning the GRIDTIDE backdoor is the way it abuses professional Google Sheets API calls to perform as its C2 channel, whereas nonetheless using strategies like ‘dwelling off the land’ to mix in with common enterprise actions,” Andrew Costis, supervisor of the Adversary Analysis Workforce at AttackIQ, mentioned. “This camouflage buys attackers time by slipping previous the triggers defenders depend on, like apparent malware signatures or noisy beaconing, and hiding inside the identical cloud app patterns groups are used to seeing.”
