A newly found malware gang is utilizing a intelligent trick to create malicious Excel recordsdata which have low detection charges and the next probability of evading safety techniques.
Found by safety researchers from NVISO Labs, this malware gang — which they named Epic Manchego — has been energetic since June, concentrating on corporations all around the world with phishing emails that carry a malicious Excel doc.
However NVISO stated these weren’t your customary Excel spreadsheets. The malicious Excel recordsdata have been bypassing safety scanners and had low detection charges.
Malicious Excel recordsdata have been compiled with EPPlus
In response to NVISO, this was as a result of the paperwork weren’t compiled in the usual Microsoft Workplace software program, however with a .NET library known as EPPlus.
Builders usually use this library a part of their purposes so as to add “Export as Excel” or “Save as spreadsheet” capabilities. The library can be utilized to generate recordsdata in all kinds of spreadsheet codecs, and even helps Excel 2019.
NVISO says the Epic Manchego gang seems to have used EPPlus to generate spreadsheet recordsdata within the Workplace Open XML (OOXML) format.
OOXML spreadsheet recordsdata lack a portion of compiled VBA code, particular to Excel paperwork compiled in Microsoft’s proprietary Workplace software program.
Some antivirus merchandise and e-mail scanners particularly search for this portion of VBA code to seek for attainable indicators of malicious Excel docs, which might clarify why spreadsheets generated by the Epic Manchego gang had decrease detection charges than different malicious Excel recordsdata.
This blob of compiled VBA code is often the place an attacker’s malicious code can be saved. Nevertheless, this doesn’t suggest the recordsdata have been clear. NVISO says that the Epic Manchego merely saved their malicious code in a customized VBA code format, in one other a part of the doc. This code was additionally password-protected to forestall safety techniques and researchers from analyzing its content material.
However regardless of utilizing a unique methodology to generate their malicious Excel paperwork, the EPPlus-based spreadsheet recordsdata nonetheless labored like every other Excel doc.
Lively since June
The malicious paperwork (additionally known as maldocs) nonetheless contained a malicious macro script. If customers who opened the Excel recordsdata allowed the script to execute (by clicking the “Allow modifying” button), the macros would obtain and set up malware on the sufferer’s techniques.
The ultimate payloads have been basic infostealer trojans like Azorult, AgentTesla, Formbook, Matiex, and njRat, which might dump passwords from the consumer’s browsers, emails, and FTP purchasers, and despatched them to Epic Machengo’s servers.
Whereas the choice to make use of EPPlus to generate their malicious Excel recordsdata may need had some advantages, to start with, it additionally ended up hurting Epic Manchego in the long term, because it allowed the NVISO staff to very simply detect all their previous operations by looking for odd-looking Excel paperwork.
Ultimately, NVISO stated it found greater than 200 malicious Excel recordsdata linked to Epic Manchego, with the primary one relationship again to June 22, this yr.
NVISO says this group seems to be experimenting with this system, and because the first assaults, they’ve elevated each their exercise and the sophistication of their assaults, suggesting this would possibly see broader use sooner or later.
However, NVISO researchers weren’t completely shocked that malware teams are actually utilizing EPPlus.
“We’re acquainted with this .NET library, as we’ve got been utilizing it since a few years to create malicious paperwork (“maldocs”) for our crimson staff and penetration testers,” the corporate stated.
Indicators of compromise and a technical breakdown of the malicious EPPlus-rendered Excel recordsdata can be found in NVISO Labs’ Epic Manchego report.