Malware gang makes use of .NET library to generate Excel docs that bypass safety checks

A newly found malware gang is utilizing a intelligent trick to create malicious Excel information which have low detection charges and the next probability of evading safety techniques.

Found by safety researchers from NVISO Labs, this malware gang — which they named Epic Manchego — has been lively since June, concentrating on firms all around the world with phishing emails that carry a malicious Excel doc.

However NVISO stated these weren’t your normal Excel spreadsheets. The malicious Excel information had been bypassing safety scanners and had low detection charges.

Malicious Excel information had been compiled with EPPlus

In line with NVISO, this was as a result of the paperwork weren’t compiled in the usual Microsoft Workplace software program, however with a .NET library referred to as EPPlus.

Builders sometimes use this library a part of their purposes so as to add “Export as Excel” or “Save as spreadsheet” capabilities. The library can be utilized to generate information in all kinds of spreadsheet codecs, and even helps Excel 2019.

NVISO says the Epic Manchego gang seems to have used EPPlus to generate spreadsheet information within the Workplace Open XML (OOXML) format.

OOXML spreadsheet information lack a portion of compiled VBA code, particular to Excel paperwork compiled in Microsoft’s proprietary Workplace software program.

Some antivirus merchandise and e-mail scanners particularly search for this portion of VBA code to seek for attainable indicators of malicious Excel docs, which might clarify why spreadsheets generated by the Epic Manchego gang had decrease detection charges than different malicious Excel information.

This blob of compiled VBA code is often the place an attacker’s malicious code could be saved. Nonetheless, this does not imply the information had been clear. NVISO says that the Epic Manchego merely saved their malicious code in a customized VBA code format, in one other a part of the doc. This code was additionally password-protected to forestall safety techniques and researchers from analyzing its content material.

However regardless of utilizing a distinct technique to generate their malicious Excel paperwork, the EPPlus-based spreadsheet information nonetheless labored like every other Excel doc. 

Lively since June

The malicious paperwork (additionally referred to as maldocs) nonetheless contained a malicious macro script. If customers who opened the Excel information allowed the script to execute (by clicking the “Allow modifying” button), the macros would obtain and set up malware on the sufferer’s techniques.

The ultimate payloads had been traditional infostealer trojans like Azorult, AgentTesla, Formbook, Matiex, and njRat, which might dump passwords from the consumer’s browsers, emails, and FTP shoppers, and despatched them to Epic Machengo’s servers.

Whereas the choice to make use of EPPlus to generate their malicious Excel information might need had some advantages, to start with, it additionally ended up hurting Epic Manchego in the long term, because it allowed the NVISO crew to very simply detect all their previous operations by looking for odd-looking Excel paperwork.

Ultimately, NVISO stated it found greater than 200 malicious Excel information linked to Epic Manchego, with the primary one courting again to June 22, this yr.

NVISO says this group seems to be experimenting with this method, and for the reason that first assaults, they’ve elevated each their exercise and the sophistication of their assaults, suggesting this would possibly see broader use sooner or later.

However, NVISO researchers weren’t completely shocked that malware teams are actually utilizing EPPlus.

“We’re accustomed to this .NET library, as now we have been utilizing it since a few years to create malicious paperwork (“maldocs”) for our crimson crew and penetration testers,” the corporate stated.

Indicators of compromise and a technical breakdown of the malicious EPPlus-rendered Excel information can be found in NVISO Labs’ Epic Manchego report.