Malicious Excel Files Execute Password-Stealing Malware

A brand-new malware group is spreading malware through cleverly put together Microsoft Excel files. The malicious office documents are surprisingly hard to detect and pose a significant risk.

The new group of bad actors has been named Epic Manchego by the security researchers working with NVISO Labs who discovered them. The group has been active since the middle of summer 2020 and has been attempting to infiltrate company networks around the globe using phishing emails carrying the malicious Excel files.

The reason why the malicious Excel files has such surprisingly low detection rates is that they were not created and saved using MS Office. Instead, the spreadsheets were compiled using an uncommon .NET library called EPPlus. The EPPlus project is open-source and can export data from applications in Excel files, among other spreadsheet formats. According to researchers, the files compiled with EPPlus used the Open Office XML format. However, the files did not have a section of compiled Visual Basic for Applications code that is particular to spreadsheets saved through MS Office.

Custom-formatted VBA Code Trips Up Detection

It is just that chunk of VBA code that a number of antivirus tools use to find macros and malicious content in Excel files. With this potentially suspicious bit missing and being used as a marker by antimalware tools, the files turned out to have surprisingly high evasion rates. The crooks from Epic Manchego used their own custom format for the malicious VBA code and even made the code unreadable without a password, so that AV tools that would try to scan it would hit a wall.

Despite the different vehicle for the malicious component used by the hackers, the custom bit of the files still contained malicious macros. The process is the same as with regular infected office files - the user is prompted to allow macros to execute by clicking a button immediately after opening the file. Allowing macros executes the malicious script and downloads the payload, which is then executed.

The payloads that researchers found used with the malicious Excel files were a number of known info-stealer Trojans such as Matiex, njRat and Azorult. Those act by scraping login information from the victim's browsers and software and feeding it back to the bad actors.

The custom code used in the attack allowed researchers to look back at previous detections and suspicious Excel documents. The discovery made by NVISO Labs showed that Epic Manchego have been active since at least late June 2020 and that the bad actors have been steadily improving their methods, which means they might keep coming with newer, more sophisticated attacks in the future.