Microsoft Excel

A newly figured out malware gang is the utilization of a clever trick to assemble malicious Excel files that occupy low detection charges and a higher likelihood of evading security systems.

Chanced on by security researchers from NVISO Labs, this malware gang — which they named Story Manchego — has been energetic since June, focusing on companies for the duration of the arena with phishing emails that elevate a malicious Excel file.

But NVISO said these weren’t your linked outdated Excel spreadsheets. The malicious Excel files had been bypassing security scanners and had low detection charges.

Malicious Excel files had been compiled with EPPlus

In step with NVISO, this became as soon as for the reason that paperwork weren’t compiled in the long-established Microsoft Space of business gadget, but with a .NET library called EPPlus.

Developers most regularly employ this library half of their functions so as to add “Export as Excel” or “Effect as spreadsheet” functions. The library will be feeble to generate files in an even preference of spreadsheet formats, and even helps Excel 2019.

NVISO says the Story Manchego gang appears to occupy feeble EPPlus to generate spreadsheet files in the Space of business Open XML (OOXML) format.

The OOXML spreadsheet files generated by Story Manchego lacked a fraction of compiled VBA code, snort to Excel paperwork compiled in Microsoft’s proprietary Space of business gadget.

Some antivirus products and e-mail scanners particularly look for this piece of VBA code to mosey trying doable indicators of malicious Excel docs, which would show veil why spreadsheets generated by the Story Manchego gang had decrease detection charges than diversified malicious Excel files.

This blob of compiled VBA code is in total the achieve an attacker’s malicious code would possibly possibly presumably perchance be stored. However, this does not imply the files had been neat. NVISO says that the Story Manchego merely stored their malicious code in a personalised VBA code format, which became as soon as also password-generous to forestall security systems and researchers from examining its lisp.


Image: NVISO

But despite the utilization of a diversified technique to generate their malicious Excel paperwork, the EPPlus-basically based spreadsheet files restful worked be pleased all diversified Excel file. 

Active since June

The malicious paperwork (in total identified as maldocs) restful contained a malicious macro script. If users who opened the Excel files allowed the script to withhold out (by clicking the “Enable editing” button), the macros would download and set up malware on the sufferer’s systems.

The preferrred payloads had been classic infostealer trojans be pleased Azorult, AgentTesla, Formbook, Matiex, and njRat, which would dump passwords from the user’s browsers, emails, and FTP clients, and sent them to Story Machengo’s servers.

Whereas the resolution to make employ of EPPlus to generate their malicious Excel files would possibly possibly presumably perchance occupy had some advantages, in the starting, it also ended up hurting Story Manchego one day, as it allowed the NVISO team to with ease detect all their past operations by buying for outlandish-taking a look Excel paperwork.

In the stop, NVISO said it figured out larger than 200 malicious Excel files linked to Story Manchego, with the first one dating support to June 22, this one year.


Image: NVISO

NVISO says this neighborhood appears to be experimenting with this methodology, and for the reason that first assaults, they occupy got increased every their activity and the sophistication of their assaults, suggesting this would possibly even see broader employ one day.

However, NVISO researchers weren’t completely bowled over that malware teams are now the utilization of EPPlus.

“We are conversant in this .NET library, as we have been the utilization of it since just a few years to assemble malicious paperwork (“maldocs”) for our red team and penetration testers,” the firm said.

Indicators of compromise and a technical breakdown of the malicious EPPlus-rendered Excel files are on hand in NVISO Labs’ Story Manchego file.

Leave a comment

Your email address will not be published.