Epic Manchego Compiles Malicious Excel Files Using EPPlus to Avoid Detection
Several attackers have been using malicious Excel documents to deliver malware through VBA macros. NVISO researchers recently analyzed a set of custom-built macro-laden Excel workbooks, which could thwart malware defense mechanisms such as antivirus solutions.
Active since June 2020, the malware group dubbed Epic Manchego has been targeting companies all over the world with phishing emails.
- Attackers were found using more than 200 malicious documents to target victims across 27 countries, including the United States, Czech Republic, France, Germany, and China.
- The malicious emails were sent to the targets in the aluminum sector and medical equipment manufacturing sector, someone working in facility management, and a vendor of custom made press machines.
- Epic Manchego deployed info-stealer trojans such as Azorult, AgentTesla, Formbook, Matiex, and njRat as final payloads with the intention of harvesting passwords from browsers and email clients, among others.
- To lower the detection rate for malicious documents, the creators of the malicious Excel documents uses a technique called VBA Purging that allowed them to create macro-laden Excel workbooks, without actually using Microsoft Office.
- The gang uses EPPlus, a .NET library, to create Office Open XML (OOXML) spreadsheets without compiled VBA code and Office metadata.
The trick that didn't work
NVISO researchers found that Epic Manchego’s experiment with OOXML files was capable enough to trick some security systems. However, the decision to use EPPlus to generate their malicious Excel files allowed the NVISO team to easily dig up all their past operations by searching for odd-looking Excel documents.
The bottom line
From the analysis, it is clear that Epic Manchego hackers have been gradually improving their technical prowess. Since the group appears to be experimenting with different attack techniques, experts indicate that it might come up with more dangerous methods in the future.