Epic Manchego 🦌.Net Malware

A newly discovered malware gang is using a clever trick to create malicious Excel files that have low detection rates and a higher chance of evading security systems.

This malware gang — which they named Epic Manchego — has been active since June, targeting companies all over the world with phishing emails that carry a malicious Excel document.

These weren’t your standard Excel spreadsheets. The malicious Excel files were bypassing security scanners and had low detection rates.

Developers typically use this library part of their applications to add “Export as Excel” or “Save as spreadsheet” functions. The library can be used to generate files in a wide variety of spreadsheet formats, and even supports Excel 2019.

The Epic Manchego gang appears to have used EPPlus to generate spreadsheet files in the Office Open XML (OOXML) format.

OOXML spreadsheet files lack a portion of compiled VBA code, specific to Excel documents compiled in Microsoft’s proprietary Office software.

Some antivirus products and email scanners specifically look for this portion of VBA code to search for possible signs of malicious Excel docs, which would explain why spreadsheets generated by the Epic Manchego gang had lower detection rates than other malicious Excel files.

This blob of compiled VBA code is usually where an attacker’s malicious code would be stored. However, this doesn’t mean the files were clean. The Epic Manchego simply stored their malicious code in a custom VBA code format, in another part of the document. This code was also password-protected to prevent security systems and researchers from analyzing its content.

But despite using a different method to generate their malicious Excel documents, the EPPlus-based spreadsheet files still worked like any other Excel document.

The malicious documents (also called maldocs) still contained a malicious macro script. If users who opened the Excel files allowed the script to execute (by clicking the “Enable editing” button), the macros would download and install malware on the victim’s systems.

The final payloads were classic infostealer trojans like Azorult, AgentTesla, Formbook, Matiex, and njRat, which would dump passwords from the user’s browsers, emails, and FTP clients, and sent them to Epic Machengo’s servers.

In the end, more than 200 malicious Excel files linked to Epic Manchego, with the first one dating back to June 22, this year.