Cybersecurity Alert: Unmasking Epic Manchego, The Malware Gang Utilizing .NET Library to Craft Deceptive Excel Documents
In the evolving landscape of cybersecurity threats, a newly discovered malware group, known as Epic Manchego, has emerged with a sophisticated method for creating Excel files that skillfully evade security measures. These are not your typical Excel files; they are crafted to trick some security systems, maintaining low detection rates, thereby increasing the likelihood of evading security systems.
Innovative Bypassing of Security Protocols in Windows 10:
Remarkably, systems operating on the Windows 10 Anniversary Update demonstrated a robust defense mechanism, successfully shielding against two exploits even before Microsoft issued official patches. This revelation underscores the advanced security capabilities inherent in the latest Windows 10 systems.
Epic Manchego’s Global Phishing Campaigns:
Security researchers from NVISO Labs have been closely monitoring this malware group. Active since June, Epic Manchego has been targeting companies worldwide with phishing emails containing these malicious Excel documents. The group’s tactics signify a growing trend in cybercrime where traditional forms of digital communication are being weaponized.
The Unconventional Nature of These Excel Spreadsheets:
Upon detailed investigation, NVISO revealed that these were not standard Excel spreadsheets. Their ability to bypass security scanners with low detection rates was attributed to their unique compilation process. Unlike typical Excel documents compiled with Microsoft Office software, these malicious files were created using a .NET library named EPPlus.
EPPlus: A Tool for Malicious Innovation:
EPPlus is commonly used by developers to integrate “Export as Excel” or “Save as spreadsheet” functions into their applications. The library supports a variety of spreadsheet formats and is even compatible with Excel 2019. NVISO’s findings indicate that the Epic Manchego gang exploited EPPlus to generate Office Open XML (OOXML) format spreadsheet files.
The Technical Edge in Evading Detection:
A critical aspect that allowed these documents to evade detection was the absence of a specific section of compiled VBA code, a hallmark of Excel documents developed using Microsoft’s proprietary software. Many antivirus products and email scanners focus on this segment of VBA code to identify potential threats in Excel documents. As a result, the spreadsheets generated by Epic Manchego exhibited significantly lower detection rates.
The Hidden Dangers in the Code:
Despite lacking the typical VBA code, these files were far from harmless. NVISO found that Epic Manchego ingeniously stored their malicious code in a custom, password-protected VBA code format. This strategy not only made it difficult for security systems to analyze the content but also maintained the appearance of legitimacy.
Functionality of EPPlus-Based Excel Documents:
Interestingly, despite their unique creation process, these EPPlus-based Excel files operated like any standard Excel document. They contained malicious macro scripts that, when activated by unsuspecting users, would download and install malware on the victim’s systems.
The Malware Payloads and Their Impact:
The final malware payloads included notorious infostealer trojans like Azorult, AgentTesla, Formbook, Matiex, and njRat. These trojans specialized in extracting sensitive information such as passwords from browsers, emails, and FTP clients, which were then transmitted to Epic Manchego’s servers.
The Downside of Epic Manchego’s Approach:
While initially beneficial, the decision to use EPPlus for creating malicious Excel files eventually became a vulnerability for Epic Manchego. It allowed the NVISO team to efficiently detect all their past operations by searching for Excel documents with unusual characteristics.
A Comprehensive Discovery by NVISO:
NVISO’s extensive investigation led to the discovery of more than 200 malicious Excel files linked to Epic Manchego, with the earliest dating back to June 22 of the current year.
The Future of Cybersecurity Threats:
NVISO suggests that Epic Manchego is actively experimenting with this technique. Since the initial attacks, there has been a significant increase in both the activity and sophistication of their attacks. This pattern indicates a potential for broader adoption of such tactics in the future.
NVISO’s Insights and Preparedness:
Despite the innovative approach of malware groups like Epic Manchego, NVISO researchers were not entirely caught off guard. They have been familiar with the EPPlus .NET library, having used it for several years to create malicious documents for red team exercises and penetration testing. This prior experience has equipped NVISO with the necessary insight to anticipate and combat such evolving cyber threats effectively.
The emergence of the Epic Manchego malware group serves as a reminder of the continuous need for vigilance and advancement in cybersecurity strategies to counteract the ever-evolving tactics of cybercriminals.
Useful Microsoft Excel Macro code for VBA beginners
How can Alice help teach OOP (Object Oriented Programming)?
New detection method identifies cryptomining and other fileless malware attacks
Where automotive cyber security is headed
1.8 Million Users Attacked by Android Banking Malware, 300% Increase Since 2017