Today's Core Dump is brought to you by ThreatPerspective

Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign

URLs

Archive contained GRIDTIDE.

http://130[.]94[.]6[.]228/apt.tar.gz

Archive contained a SoftEtherVPN Bridge component.

http://130[.]94[.]6[.]228/update.tar.gz

Archive contained a SoftEtherVPN Bridge component.

http://130[.]94[.]6[.]228/amp.tar.gz

GRIDTIDE leverages this API endpoint to monitor cell A1 of the spreadsheet for threat actor commands.

https://sheets[.]googleapis[.]com:443/v4/spreadsheets/<GoogleSheetID>/values/A1?valueRenderOption=FORMULA

GRIDTIDE leverages this API endpoint to clear data from the first 1000 rows of the spreadsheet.

https://sheets[.]googleapis[.]com:443/v4/spreadsheets/<GoogleSheetID>/values:batchClear

GRIDTIDE leverages this API endpoint to exfiltrate victim host metadata to cell V1, report command execution output and status messages to cell A1, and to transfer data into the A2:An cell range.

https://sheets[.]googleapis[.]com:443/v4/spreadsheets/<GoogleSheetID>/values:batchUpdate

GRIDTIDE leverages this API endpoint to transfer data from the A2:An cell range to the victim host.

https://sheets[.]googleapis[.]com:443/v4/spreadsheets/<GoogleSheetID>/values/A2:A<cell_number>?valueRenderOption=FORMULA

rule G_APT_Backdoor_GRIDTIDE_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = { 7B 22 61 6C 67 22 3A 22 52 53 32 35 36 22 2C 22 6B 69 64 22 3A 22 25 73 22 2C 22 74 79 70 22 3A 22 4A 57 54 22 7D 00 } $s2 = { 2F 70 72 6F 63 2F 73 65 6C 66 2F 65 78 65 00 } $s3 = { 7B 22 72 61 6E 67 65 73 22 3A 5B 22 61 31 3A 7A 31 30 30 30 22 5D 7D 00 } $s4 = { 53 2D 55 2D 25 73 2D 31 00 } $s5 = { 53 2D 55 2D 52 2D 31 00 } $s6 = { 53 2D 44 2D 25 73 2D 30 00 } $s7 = { 53 2D 44 2D 52 2D 25 64 00 } condition: (uint32(0) == 0x464c457f) and 6 of ($*) }