Malware gang uses .NET library to generate Excel docs that bypass security checks

[silversurfer]

Content source

https://www.zdnet.com/article/malware-gang-uses-net-library-to-generate-excel-docs-that-bypass-security-checks/

A newly discovered malware gang is using a clever trick to create malicious Excel files that have low detection rates and a higher chance of evading security systems.

Discovered by security researchers from NVISO Labs, this malware gang — which they named Epic Manchego — has been active since June, targeting companies all over the world with phishing emails that carry a malicious Excel document.

But NVISO said these weren't your standard Excel spreadsheets. The malicious Excel files were bypassing security scanners and had low detection rates.
According to NVISO, this was because the documents weren't compiled in the standard Microsoft Office software, but with a .NET library called EPPlus.

Malware gang uses .NET library to generate Excel docs that bypass security checks

They were still Excel documents. Just not your typical Excel files. Enough to trick some security systems, though.

www.zdnet.com

Indicators of compromise and a technical breakdown of the malicious EPPlus-rendered Excel files are available in NVISO Labs' Epic Manchego report.

 

[Andy Ful]

Unfortunately, MS Office applications allow so many document formats and their variations, that it is very hard to close all vulnerabilities. Furthermore, Microsoft is still expanding the abilities of MS Office applications. So the recent security improvement based on sandboxing (Application Guard for Office) is welcome, although not available yet for non-enterprise consumers.

 

[upnorth]

Your very correct Andy, and at least most of the reported IOC's ( payloads ) that I checked is pretty high detected by most AV vendors, including Microsoft Defender.

nviso-cti/Epic_Manchego_IOC at master · NVISOsecurity/nviso-cti

Contribute to NVISOsecurity/nviso-cti development by creating an account on GitHub.

github.com

 

[shmu26]

The article says these malicious docs contain VBA macros.
Does Windows Defender Attack surface reduction (ASR) block this?
Does Hard_Configurator block this?
I am not clear on the difference between VBA and VBS.

 

[Andy Ful]

The article says these malicious docs contain VBA macros.
Does Windows Defender Attack surface reduction (ASR) block this?
Does Hard_Configurator block this?
I am not clear on the difference between VBA and VBS.

The MS Office applications can still see the macro embedded in such weaponized documents (the yellow bar is not bypassed). So, the macros will be blocked/mitigated by ASR rules, H_C, SWH, and SysHardener as usual. The problem can have security applications (such as AVs) that detect macros by examining the weaponized documents, but do not restrict the MS Office applications (by child processes, anti-exploit mitigations, etc.).

The main difference between VBScript and VBA is that VBScript is a scripting language (requires an interpreter) as compared to VBA which is a programming language (the code can be compiled) - both are based on Visual Basic. The VBA has got also more features:

Visual Basic for Applications Features Not In VBScript

 

[shmu26]

The MS Office applications can still see the macro embedded in such weaponized documents (the yellow bar is not bypassed). So, the macros will be blocked/mitigated by ASR rules, H_C, SWH, and SysHardener as usual. The problem can have security applications (such as AVs) that detect macros by examining the weaponized documents, but do not restrict the MS Office applications (by child processes, anti-exploit mitigations, etc.).

The main difference between VBScript and VBA is that VBScript is a scripting language (requires an interpreter) as compared to VBA which is a programming language (the code can be compiled) - both are based on Visual Basic. The VBA has got also more features:

Visual Basic for Applications Features Not In VBScript

Thanks Andy!