Malicious Excel Sheets Compiled Using .NET Spread to Install Malware
MS Excel

NVISO researchers have discovered a new gang called Epic Manchego, that’s spreading malicious Excel sheets to companies around the world. Analyzing the campaign resulted that the new gang is compiling their Excel sheets through EPPlus software instead of Microsoft’s default Office software, thereby skipping VBA section and have low detection rates.

New Malicious Gang Using .NET to Craft Stealthy Malware Excel Sheets

Since the antivirus softwares are getting better at detecting various malwares, threat actors are evolving with new techniques to hide their stuff gradually. In a new incident discovered by researchers from NVISO Labs, a new gang named as Epic Manchego are crafting malicious Excel sheets to hide their malware code cleverly.

Operating since June this year, Epic Manchego group is said to be using FPPlus software to craft their malicious Excel documents. FPPlus is a .NET library used by developers in their apps to set Save as spreadsheet” or “Export as Excel” options. This lets users save their work as spreadsheets or in Excel format.

Epic Manchego spreading timeline
Epic Manchego spreading timeline

A major advantage of using FPPlus is that files compiled through can skip the VBA section when saved. VBA section is where most of the threat actors store their malware code, thereby unpacking it once opened by the target. Researchers say the output file as Office Open XML (OOXML) will be looking same as the document made through Microsoft’s Office compilation.

Since most of the antivirus softwares check for VBA section for malicious codes, they pass these FPPlus compiled files as clean, putting users at risk. Upon opening the file, the user will be prompted to enable macros for proper viewing, thus downloading the malware. Researchers said it acts as any other info-stealer once unpacked and dumps all the sensitive information from browsers, FTP clients and emails.

Once discovered, researchers have leveraged the usage of FPPlus by Epic Manchego and checked their past activity. They were reported to be spreading these malicious files since June 22nd, and have sent over 200 malicious Excel files till date. Read more about the Indicators of Compromise and technical explanation of Epic Manchego.

Other Trending News:-  News


Please enter your comment!
Please enter your name here