Malware gang uses .NET library to generate Excel docs that bypass security checks

They were still Excel documents. Just not your typical Excel files. Enough to trick some security systems, though.

Microsoft Excel

A newly discovered malware gang is using a clever trick to create malicious Excel files that have low detection rates and a higher chance of evading security systems.

Windows 10 security: 'So good, it can block zero-days without being patched'

Systems running the Windows 10 Anniversary Update were shielded from two exploits even before Microsoft had issued patches for them, its researchers have found.

Read More

Discovered by security researchers from NVISO Labs, this malware gang -- which they named Epic Manchego -- has been active since June, targeting companies all over the world with phishing emails that carry a malicious Excel document.

But NVISO said these weren't your standard Excel spreadsheets. The malicious Excel files were bypassing security scanners and had low detection rates.

Malicious Excel files were compiled with EPPlus

According to NVISO, this was because the documents weren't compiled in the standard Microsoft Office software, but with a .NET library called EPPlus.

Developers typically use this library part of their applications to add "Export as Excel" or "Save as spreadsheet" functions. The library can be used to generate files in a wide variety of spreadsheet formats, and even supports Excel 2019.

NVISO says the Epic Manchego gang appears to have used EPPlus to generate spreadsheet files in the Office Open XML (OOXML) format.

The OOXML spreadsheet files generated by Epic Manchego lacked a section of compiled VBA code, specific to Excel documents compiled in Microsoft's proprietary Office software.

Some antivirus products and email scanners specifically look for this portion of VBA code to search for possible signs of malicious Excel docs, which would explain why spreadsheets generated by the Epic Manchego gang had lower detection rates than other malicious Excel files.

This blob of compiled VBA code is usually where an attacker's malicious code would be stored. However, this doesn't mean the files were clean. NVISO says that the Epic Manchego simply stored their malicious code in a custom VBA code format, which was also password-protected to prevent security systems and researchers from analyzing its content.

password-prompt-vba-project.png

Image: NVISO

But despite using a different method to generate their malicious Excel documents, the EPPlus-based spreadsheet files still worked like any other Excel document. 

Active since June

The malicious documents (also called maldocs) still contained a malicious macro script. If users who opened the Excel files allowed the script to execute (by clicking the "Enable editing" button), the macros would download and install malware on the victim's systems.

The final payloads were classic infostealer trojans like Azorult, AgentTesla, Formbook, Matiex, and njRat, which would dump passwords from the user's browsers, emails, and FTP clients, and sent them to Epic Machengo's servers.

While the decision to use EPPlus to generate their malicious Excel files might have had some benefits, in the beginning, it also ended up hurting Epic Manchego in the long run, as it allowed the NVISO team to very easily detect all their past operations by searching for odd-looking Excel documents.

In the end, NVISO said it discovered more than 200 malicious Excel files linked to Epic Manchego, with the first one dating back to June 22, this year.

manchego-timeline.png

Image: NVISO

NVISO says this group appears to be experimenting with this technique, and since the first attacks, they have increased both their activity and the sophistication of their attacks, suggesting this might see broader use in the future.

Nevertheless, NVISO researchers weren't totally surprised that malware groups are now using EPPlus.

"We are familiar with this .NET library, as we have been using it since a couple of years to create malicious documents ("maldocs") for our red team and penetration testers," the company said.

Indicators of compromise and a technical breakdown of the malicious EPPlus-rendered Excel files are available in NVISO Labs' Epic Manchego report.