Google Sheets is a widely used cloud-based spreadsheet application that is part of Google Workspace. It enables users to create, edit and collaborate on spreadsheets in real time from anywhere with an internet connection. Its seamless integration with Google application programming interfaces (APIs), automation capabilities via Google Apps Script, easy sharing mechanisms and cloud infrastructure make it a powerful tool for collaboration, data processing, reporting and project management. Google Sheets is utilized across many industries for tasks such as tracking and planning company activities, intelligence tracking, financial modeling, inventory management and general collaborative planning. Although Google Sheets offers significant capabilities for users, it has inadvertently become a valuable tool for threat actors and malware for command-and-control (C2). Attackers from afar rely on C2 services to issue commands to malware, such as where to exfiltrate data. These communications often stand out due to the locations and reputations of those servers and can be detected by defenders. But by leveraging the infrastructure of cloud services, this communication with malware can be camouflaged. In this post, we will discuss how to conduct threat hunts using HUNTER471 to detect this kind of activity, which has been used in a recent malware campaign called Voldemort.
Cloud Control
Cloud services like Google’s are frequently abused because they provide low-maintenance infrastructure versus attackers having to set up and manage their own servers or compromise legitimate services. These threat actors leverage the trusted nature of Google’s services to evade detection and bypass traditional security measures. Given how ubiquitous Google’s services are — used by organizations globally, often every minute — identifying malicious use becomes a challenge. In recent years, threat actors and malware have abused Google Sheets and its APIs to facilitate C2 communications, allowing attackers to issue commands, retrieve data, download additional malware and control compromised systems, all while appearing as legitimate Google traffic.
The abuse of Google Sheets for C2 is not a new technique but has recently come into the spotlight due to attacks involving the Voldemort malware. Research published by Proofpoint indicates Voldemort was likely developed by an advanced persistent threat (APT) group that aims to compromise systems for espionage purposes. According to Proofpoint, Voldemort is a unique backdoor that uses a novel attack chain to infect systems, and the malware can be used as a loader to deliver other malware. Historically, cloud infrastructure has been used in cyber espionage and cybercrime by groups such as DarkHydrus as reported by Palo Alto Networks’ Unit 42 on its research blog in 2019. DarkHydrus used Google Drive as an alternative C2 channel, abusing Google’s cloud APIs to communicate with its malware and effectively circumventing many security tools. Similarly, in more recent campaigns, attackers have embedded commands in Google Sheets, using its API to issue instructions, push malware and exfiltrate data. In 2021, this method became so effective that it led to the development of a tool called GC2-Sheet, designed specifically for red teaming exercises. It's worth noting this tool also added capabilities to abuse Microsoft APIs as well for hosting data to upload and download from compromised hosts. Unfortunately, as is often the case with red team tools, GC2-Sheet was eventually adopted by APT41 aka Wicked Panda, Brass Typhoon, which used it in an attack in 2023.
The primary difficulty in detecting or blocking this type of activity lies in the fact that Google APIs are essential to daily operations for many organizations. Simply blocking these services could disrupt legitimate business functions. This leaves defenders with the challenge of differentiating between benign and malicious use of the platform. Attackers exploit this gray area by blending malicious traffic with normal business activities, making it difficult for automated systems or analysts to distinguish one from the other. Despite the challenges, subtle differences between legitimate and malicious use still provide key clues for threat hunters. These minor variations — whether in process behavior or network patterns — can stand out under scrutiny, making it possible to identify and mitigate these malicious activities. Next, we will discuss techniques to identify and hunt for this malicious C2 traffic.
DNS. It’s Always DNS.
One effective method for threat hunters is identifying suspicious domain name system (DNS) requests that suggest Google Drive API was accessed by non-standard or atypical applications. Attackers utilize Google Sheets and its API in several ways to facilitate C2 operations. These methods often involve embedding instructions within Google Sheets documents, using the Google Sheets API to retrieve or execute commands and exfiltrating sensitive data under the guise of legitimate communications. The malware or threat actor will programmatically interact with Google Sheets via API calls, enabling the infected machine to check for updates or upload responses periodically.
Voldemort uses Google Sheets as a centralized communication hub. It tracks all compromised devices and carries out commands by iterating over a single sheet, continuously checking for commands related to its specific universally unique identifier (UUID). But as the number of compromised systems increases, this method can become inefficient, as the system generates multiple requests while searching for unassigned cells. This spike in API requests between sleep periods can draw attention to the malicious activity by increasing network traffic and potentially raising red flags in monitoring systems.
Hunting for Malicious Communications
We’ve written a threat hunt package to identify the abuse of Google’s APIs for Google Drive and Google Sheets. The package is for CarbonBlack Cloud - Investigate, CarbonBlack Response, CrowdStrike, CrowdStrike LogScale, Elastic, Palo Alto Cortex XDR, Splunk, Tanium and Tanium Signal. The hunt leverages endpoint telemetry (e.g., endpoint detection and response (EDR), Sysmon or extended detection and response (XDR)) to scrutinize DNS activities and flag potential malware attempting to access domains associated with Google Drive and Sheets API.
Simply pulling DNS requests, however, is often insufficient to pinpoint malicious activities without first establishing baselines and identifying anomalies. Therefore, this hunt correlates DNS requests with the processes responsible for initiating them, adding a layer of scrutiny. This approach helps analysts filter out legitimate activity while focusing on unusual applications that interact with Google APIs. This method is particularly effective in environments where Google Drive and Sheets are widely used, as atypical applications accessing these services tend to stand out. Analysts can further investigate by applying human judgment to identify suspicious application names (e.g., randomly generated names) or processes originating from unusual locations, such as temporary or hidden directories.
Another threat hunt available in HUNTER471 targets environmentally uncommon or unique processes performing DNS requests for the Google Sheets API specifically. This hunt is designed to quickly identify Google Sheets abuse by applying multiple layers of scrutiny to highlight unusual or rare processes making these DNS requests.
This additional scrutiny includes filtering for uniqueness by checking how many hosts the process has been observed on, as well as how many DNS requests have been observed. Utilizing these filters, threat hunters can then sort by the most uniquely occurring activity in their environment as their starting point for the most likely malicious activity. This has been proven effective at identifying Voldemort and the GC2-Sheet red team tool.
Conclusion
While Google Sheets is a trusted and essential tool for many organizations, its APIs can be abused by threat actors to establish stealthy C2 channels. The challenge lies in preventing, detecting and identifying malicious use amid legitimate traffic. By leveraging DNS, process and network telemetry, along with targeted threat hunts focusing on atypical activity coupled with human analysis, organizations can identify and mitigate the risk of malware abusing Google Sheets for C2. Threat hunting becomes essential for techniques such as this, because prevention strategies can easily fail due to overlap with legitimate uses. Detection strategies become cumbersome for the same reasons in discerning between legitimate and malicious use. Pre-written hunt queries from HUNTER471 greatly reduce the time and effort threat hunters need to invest in identifying malicious use of legitimate services. Results from these queries can point them in the right direction where they can decide if certain activity merits further investigation or, in a worst-case scenario, if they should start rolling incident response.
In addition to offering critical hunt queries available for identifying Google Sheets and Google Drive abuse, HUNTER471 provides analysts with essential technical insights to enhance their analysis and understanding of query results. HUNTER471’s features include Analyst Notes, which deliver the context around the threat environment that a hunt addresses. Also, HUNTER471 provides an Analyst Runbook, which provides guidance on what to do if a hunt results in possible positives, and Mitigation Recommendations, which provide further incident response advice. These technical notes are crucial for efficiently executing hunts, validating findings and responding to identified threats. Moreover, the hunt packages include valuable intelligence context, such as example commands, artifacts and real-world observations, along with references and metadata to help analysts better understand the threat and its associated techniques.
HUNTER471 offers a free community edition where registered users can get access to a limited amount of free threat hunting query content. For more information about Intel 471’s HUNTER471 platform, please contact us.
