Malware
GRIDTIDE
According to Google, GRIDTIDE is a sophisticated backdoor written in C and delivered as a Linux ELF binary that provides remote shell command execution, file upload, and file download capabilities.
According to Google, GRIDTIDE is a sophisticated backdoor written in C and delivered as a Linux ELF binary that provides remote shell command execution, file upload, and file download capabilities. It uses a cloud-based spreadsheet service as its command-and-control channel, interacting via official APIs and encoding all traffic with a URL-safe Base64 scheme to blend into legitimate HTTPS traffic. The malware relies on an external 16-byte key file to decrypt its cloud configuration using AES-128 in CBC mode, then performs detailed host reconnaissance (user, host, OS, network, and locale information) and stores this metadata in designated spreadsheet cells. GRIDTIDE establishes persistence through a system service, uses a cell-based polling mechanism for tasking and responses, and can stage tooling and exfiltrated data in spreadsheet cells to avoid traditional network-based detection.
Family metadata imported from Malpedia (Fraunhofer FKIE).