Saturday, March 6, 2021
No Result
View All Result
Reelnewz
  • Home
  • Recent
  • Local
  • Global
  • Politics
  • Business
  • Defense
  • Health
  • Tech
  • Finance
  • Sport
  • Entertainment
  • Travel
  • Lifestyle
  • Home
  • Recent
  • Local
  • Global
  • Politics
  • Business
  • Defense
  • Health
  • Tech
  • Finance
  • Sport
  • Entertainment
  • Travel
  • Lifestyle
No Result
View All Result
Reelnewz
No Result
View All Result
Home Technology

Malware gang uses .NET library to generate Excel docs that bypass security checks

6 months ago
in Technology
4 min read
Share on FacebookShare on Twitter


Microsoft Excel

A newly discovered malware gang is using a clever trick to create malicious Excel files that have low detection rates and a higher chance of evading security systems.

Discovered by security researchers from NVISO Labs, this malware gang — which they named Epic Manchego — has been active since June, targeting companies all over the world with phishing emails that carry a malicious Excel document.

But NVISO said these weren’t your standard Excel spreadsheets. The malicious Excel files were bypassing security scanners and had low detection rates.

Malicious Excel files were compiled with EPPlus

According to NVISO, this was because the documents weren’t compiled in the standard Microsoft Office software, but with a .NET library called EPPlus.

Developers typically use this library part of their applications to add “Export as Excel” or “Save as spreadsheet” functions. The library can be used to generate files in a wide variety of spreadsheet formats, and even supports Excel 2019.

NVISO says the Epic Manchego gang appears to have used EPPlus to generate spreadsheet files in the Office Open XML (OOXML) format.

The OOXML spreadsheet files generated by Epic Manchego lacked a section of compiled VBA code, specific to Excel documents compiled in Microsoft’s proprietary Office software.

Some antivirus products and email scanners specifically look for this portion of VBA code to search for possible signs of malicious Excel docs, which would explain why spreadsheets generated by the Epic Manchego gang had lower detection rates than other malicious Excel files.

This blob of compiled VBA code is usually where an attacker’s malicious code would be stored. However, this doesn’t mean the files were clean. NVISO says that the Epic Manchego simply stored their malicious code in a custom VBA code format, which was also password-protected to prevent security systems and researchers from analyzing its content.

password-prompt-vba-project.png

Image: NVISO

But despite using a different method to generate their malicious Excel documents, the EPPlus-based spreadsheet files still worked like any other Excel document. 

Active since June

The malicious documents (also called maldocs) still contained a malicious macro script. If users who opened the Excel files allowed the script to execute (by clicking the “Enable editing” button), the macros would download and install malware on the victim’s systems.

The final payloads were classic infostealer trojans like Azorult, AgentTesla, Formbook, Matiex, and njRat, which would dump passwords from the user’s browsers, emails, and FTP clients, and sent them to Epic Machengo’s servers.

While the decision to use EPPlus to generate their malicious Excel files might have had some benefits, in the beginning, it also ended up hurting Epic Manchego in the long run, as it allowed the NVISO team to very easily detect all their past operations by searching for odd-looking Excel documents.

In the end, NVISO said it discovered more than 200 malicious Excel files linked to Epic Manchego, with the first one dating back to June 22, this year.

manchego-timeline.png

Image: NVISO

NVISO says this group appears to be experimenting with this technique, and since the first attacks, they have increased both their activity and the sophistication of their attacks, suggesting this might see broader use in the future.

Nevertheless, NVISO researchers weren’t totally surprised that malware groups are now using EPPlus.

“We are familiar with this .NET library, as we have been using it since a couple of years to create malicious documents (“maldocs”) for our red team and penetration testers,” the company said.

Indicators of compromise and a technical breakdown of the malicious EPPlus-rendered Excel files are available in NVISO Labs’ Epic Manchego report.



Source link

Previous Post

Watch: Man Utd loanee Tahith Chong bags brilliant brace for Werder Bremen

Next Post

Yidarton Maxi Dress Is the Cozy-Chic Find of the Year

Related Posts

Jack Dorsey is trying to sell his first tweet as an NFT

by admin
2 hours ago
0

Jack Dorsey, the billionaire co-founder and CEO of Twitter, a man who stans bitcoin right on his Twitter bio,...

Is it safe to travel yet? Current travel guidelines for COVID-19

by admin
2 hours ago
0

James Martin/CNET For the most up-to-date news and information about the coronavirus pandemic, visit the WHO website. Are you...

Deals: Apple Magic Keyboard for 12.9-inch iPad Pro falls to record low $250 ($100 off)

by admin
3 hours ago
0

After slashing the price of the 11-inch version, Amazon has now dropped Apple's Magic Keyboard for the 12.9-inch iPad...

What Is Telegram? How to Use the Encrypted Messaging App

by admin
3 hours ago
0

Telegram is a cloud-based instant messaging service that has been making the rounds as a popular option for those...

A first look at Coursera’s S-1 filing – TechCrunch

by admin
3 hours ago
0

After TechCrunch broke the news yesterday that Coursera was planning to file its S-1 today, the edtech company officially...

Best PC games 2021: the top PC games right now

by admin
6 hours ago
0

Play the best PC games to explore vast and expansive worlds without ever leaving your house. These wildly popular...

Load More
Next Post

Yidarton Maxi Dress Is the Cozy-Chic Find of the Year

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent News

Democrats reach deal on unemployment aid

March 6, 2021

Faces Of COVID: Daryl Kruger, 82, Loved His Grandkids And The MN Twins – WCCO

March 6, 2021

Joe Manchin Agrees To Unemployment Benefits Deal As Biden Stimulus Back On Track To Pass

March 6, 2021

Democrats Agree to Trim Jobless Aid to Keep Stimulus Plan on Track

March 6, 2021

Fire, smoke, gunshots in Paraguay capital as pandemic response ignites protests By Reuters

March 6, 2021

Ecuador’s interior minister quits over deadly prison riots | Crime News

March 6, 2021

Twitter May Add E-Commerce Options

March 6, 2021

LAX Seeing ‘Noticeable Uptick’ In Travelers Ahead Of Spring Break Though Travel Advisory Remains In Effect – CBS Los Angeles

March 6, 2021

Protests backing opposition leader escalate in Senegal

March 6, 2021

ARK’s Cathie Wood Disrupted Investment Management. She’s Not Done Yet

March 6, 2021
Reelnewz

All the latest breaking news on Reel Newz. Browse The Independent's complete collection of articles and commentary on Reel Newz.

Follow Us

Browse by Category

  • Business
  • Defense
  • Entertainment
  • Finance
  • Global
  • Health
  • Lifestyle
  • Local
  • Politics
  • Recent
  • Sport
  • Technology
  • Travel

Recent News

Democrats reach deal on unemployment aid

March 6, 2021

Faces Of COVID: Daryl Kruger, 82, Loved His Grandkids And The MN Twins – WCCO

March 6, 2021
  • Disclaimer
  • Privacy Policy
  • Terms and Conditions
  • Cookie Privacy Policy
  • Contact us

© 2020 All Rights Reserved - Reel Newz.

No Result
View All Result

© 2020 All Rights Reserved - Reel Newz.