{"id":36984,"date":"2020-09-05T19:13:00","date_gmt":"2020-09-05T19:13:00","guid":{"rendered":"http:\/\/b7a71df5-9f23-4769-b461-628912282e1e"},"modified":"2020-09-05T19:13:00","modified_gmt":"2020-09-05T19:13:00","slug":"malware-gang-uses-net-library-to-generate-excel-docs-that-bypass-security-checks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/malware-gang-uses-net-library-to-generate-excel-docs-that-bypass-security-checks\/","title":{"rendered":"Malware gang uses .NET library to generate Excel docs that bypass security checks"},"content":{"rendered":"
\"Microsoft<\/span>
<\/span><\/figcaption><\/figure>\n

A newly discovered malware gang is using a clever trick to create malicious Excel files that have low detection rates and a higher chance of evading security systems.<\/p>\n

Discovered by security researchers from NVISO Labs, this malware gang \u2014 which they named Epic Manchego<\/em><\/strong> \u2014 has been active since June, targeting companies all over the world with phishing emails that carry a malicious Excel document.<\/p>\n

But NVISO said these weren’t your standard Excel spreadsheets. The malicious Excel files were bypassing security scanners and had low detection rates.<\/p>\n

Malicious Excel files were compiled with EPPlus<\/h2>\n

According to NVISO, this was because the documents weren’t compiled in the standard Microsoft Office software, but with a .NET library called EPPlus<\/a>.<\/p>\n

Developers typically use this library part of their applications to add “Export as Excel” or “Save as spreadsheet” functions. The library can be used to generate files in a wide variety of spreadsheet formats, and even supports Excel 2019.<\/p>\n

NVISO says the Epic Manchego gang appears to have used EPPlus to generate spreadsheet files in the Office Open XML (OOXML) format.<\/p>\n

OOXML spreadsheet files lack a portion of compiled VBA code, specific to Excel documents compiled in Microsoft’s proprietary Office software.<\/p>\n

<\/section>\n

Some antivirus products and email scanners specifically look for this portion of VBA code to search for possible signs of malicious Excel docs, which would explain why spreadsheets generated by the Epic Manchego gang had lower detection rates than other malicious Excel files.<\/p>\n

This blob of compiled VBA code is usually where an attacker’s malicious code would be stored. However, this doesn’t mean the files were clean. NVISO says that the Epic Manchego simply stored their malicious code in a custom VBA code format, in another part of the document. This code was also password-protected to prevent security systems and researchers from analyzing its content.<\/p>\n

\"password-prompt-vba-project.png\"<\/span>