A malware group; created malicious Excel files with a low detection rate and a high chance of circumventing security systems. The group attacked many companies around the world with malicious Excel files it created.
The methods hackers use to get into systems can sometimes be really confusing. Again, one of these surprising methods has been discovered. A malware group created malicious Excel files. While the detection rate of these created files is quite low, the rate of bypassing the security systems is also high.
Discovered by security researchers at NVISO Lab, this malware group called Epic Manchego has been targeting companies around the world with emails containing active and malicious Excel files since June. According to the statement made by NVISO, these are not standard Excel spreadsheets. These malicious Excel files can bypass security scanners.
Harmful Excel files
According to NVISO Lab, the reason they can bypass security scanners is that they are compiled with the .NET library called EPPlus, not with standard Microsoft Office software. This library can be used to create tables in many formats and even supports Excel 2019. NVISO said that in the Office Open XML (OOXML) tables created by Epic Manchego, the compiled VBA code, which is exclusively available for Excel documents compiled in Microsoft Office software, is not included.
This compiled VBA code is often where the attacker’s malicious code resides. NVISO states that Epic Manchego stores its malicious code in a special VBA format, which is encrypted, so it can circumvent security systems and researchers analyzing content. In addition, although a different method is used to create these malicious Excel documents, EPPlus-based tables work like any Excel document.
Malicious documents contain malicious macro codes. If the user who opens the Excel file clicks the enable edit button, these macro codes download and install the malware on the victim’s computer. Finally, information-stealing Trojan horse viruses such as Azorult, AgentTesla, Formbook, Matiex, and njRat send user’s browsers, e-mails, and FTP requests to Epic Machengo’s servers.
While using EPPlus to create malicious Excel files initially benefits Epic Manchego, it also works against the group in the long run. Epic Manchego’s past operations can be followed by scanning weird Excel files. NVISO also detected more than 200 malicious Excel files associated with the Epic Manchego group with this method. It was discovered that the first of these files was dated June 22nd.
NVISO stated that the group gained experience in this technique and increased both their attacks and the complexity of their attacks after the first attack. He also stated that these attacks could find a wider area of use in the future.