Epic Manchego gang uses Excel docs that avoid detection

Pierluigi Paganini September 07, 2020

A recently discovered cybercrime gang, tracked as Epic Manchego, is using a new technique to create weaponized Excel files that are able to bypass security checks

Security experts from NVISO Labs recently spotted the activity of a new malware gang, tracked as Epic Manchego, that is actively targeting companies across the world with phishing emails since June. The phishing messages carry weaponized Excel documents that are able to bypass security checks and that had low detection rates.

The trick used by the Epic Macnchego gang consists of compiling the documents with a .NET library called EPPlus, instead of the standard Microsoft Office software.

The EPPlus library is widely adopted by several organizations and development team that integrates it in their applications to add several functions such as the “Export as Excel” or the “Save as spreadsheet.”

The library can generate files in multiple spreadsheet formats, it also supports Excel 2019. NVISO researchers observed Epic Manchego crew using the EPPlus library to generate spreadsheet files in the Office Open XML (OOXML) format.

The OOXML format generated by Epic Manchego missed a section of compiled VBA code, which is specific for Excel documents compiled in Microsoft’s proprietary Office software.

Some antivirus solutions specifically analyze this section look for malicious VBA code in the Excel docs. The lack of this section makes the Excel files generated by Epic Manchego gang hard to detect.

The Epic Manchego threat actors stored their malicious code in a custom VBA code format, which was also password-protected to prevent researchers from analyzing it.

“At first, we thought they were created with Excel, and were then VBA purged. But closer examination leads us to believe that these documents are created with a .NET library that creates Office Open XML (OOXML) spreadsheets.” reads the analysis published by NVISO. “As stated in our VBA Purging blog post, Office documents can also lack compiled VBA code when they are created with tools that are totally independent from Microsoft Office. EPPlus is such a tool.”

Experts pointed out that the spreadsheet files created with the EPPlus library worked like any other Excel document. 

Upon opening the Excel files, the embedded malicious script is executed after the victims clicked the “Enable editing” button. Then the macros would download and install the malicious code, a data stealer, on the victim’s systems.

Experts observed the attackers delivering well-known infostealer trojans, like Azorult, AgentTesla, Formbook, Matiex, and njRat.

The use of this specific trick was a hallmark of Epic Manchego’s attacks that were easily spotted by the NVISO experts that discovered more than 200 malicious Excel files associated with this threat actors.

According to the researchers, the first attack dates back to June 22, 2020.

Since the first attack, experts detected more than 200 malicious documents over a period of 2 months. The cybercrime gang has increased their activity in the last weeks, recently the researchers spotted more than 10 new malicious documents on some days.

“NVISO assesses with medium confidence that this campaign is delivered by a single threat actor based on the limited number of documents uploaded to services such as VirusTotal, and the similarities in payloads delivery throughout this campaign;” concludes the analysis.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Norway)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment