Malicious Excel attachments bypass security controls using .NET library
A recent threat group called Epic Manchego is using a new technique to create Excel files to bypass antivirus (AV) and and get low detection rates. By exploring how criminals are evading security systems, we can provide some general steps to take to protect systems against these types of attacks.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Threat overview
Epic Manchego has been active since June 2020, targeting companies across the globe with phishing emails containing malicious Excel documents. To bypass email spam folders and spam mechanisms, criminals are sending phishing emails from legitimate company accounts, probably obtained from public data breaches. They confirm if any emails have been compromised using the “Have I Been Pwned?” service, or simply by compromising email accounts before starting the malicious activity.
Figure 1: Phishing email template from Epic Manchego campaign.
According to NVISO, “the public submissions of the maldocs through VirusTotal, we clustered over 200 documents, which allowed us to rank 27 countries by submission count without differentiating between uploads possibly performed through VPNs.”
As observed, areas such as the United States, Czech Republic, France, Germany and China are targeted regions found during the research.
Figure 2: Target regions observed during the threat analysis using VirusTotal.
By analyzing the initial documents for targeted regions, some templates from different countries were identified, such as English, Spanish, Chinese and Turkish language-based images.
Figure 3: Other email templates of the Epic Manchego campaign.
Threat modus operandi
Some Office documents in this campaign contain drawn figures such as rectangles, as observed in Figure 4.
Figure 4: Rectangle inside the doc file with the malicious payload.
The malicious Microsoft Office documents were created using the EPPlus software rather than Microsoft Office Excel. These documents may fly under the radar as they differ from a typical Excel document.
The document from Figure 4 contains a drawing1.xml object (a rounded rectangle) with this name: name=”VBASampleRect,” and created with the source code found on the EPPLUS Wiki (on the right side) as observed below.
Figure 5: Sample Rect code and EPPlus sample code.
By opening the document macros, no one is visible as observed below.
Figure 6: At first glance, no macros are available.
Nonetheless, the malicious code exists and is protected with a password. It is interesting to observe that the VBA code is not encoded; it is stored in clear text.
When a document with a password-protected VBA project is opened, the VBA macros will execute without the password. The user does not need to provide the password. The password is only required to view the VBA project inside the VBA integrated development environment (IDE).
Figure 7: Password required to exhibit the VBA code inside the malicious code.
By changing the DPB string or decrypting the password, it’s possible to see the PowerShell payload executed when the malicious Office file is executed on the victim’s computer.
Figure 8: DPB string of the malicious .doc file.
The listing below shows the PowerShell payload executed during the infection chain.
According to NVISO research, the VBA code will either use PowerShell or ActiveX objects to download the payload, depending on the initial malware sample.
Analysis of the final malware stage
Using the malicious VBA code, a second-stage payload is downloaded from various websites available on the internet. Each second-stage executable created by its respective malicious document acts as a dropper for the final payload. After that, the second stage will also download a malicious DLL. This DLL component then proceeds to extract additional settings, and a third-stage payload, before transferring the execution to the final payload, typically an information stealer.
Figure 9: Operation Epic Manchego final stage delivery mechanism.
As stated by NVISO researchers, “although the above obfuscation pattern is common to all samples, we have observed an evolution in its complexity as well as a wide variation in perhaps more opportunistic techniques.”
In addition, “a common factor of the operation’s second-stage samples is the usage of steganography to obfuscate their malicious intent.”
After that, the final step is executed and several popular malware samples are executed to fully compromise the victim's devices.
From these samples, the “Azorult” stealer accounts for 50% of the most delivered variant. Other payloads include “AgentTesla,” “Formbook,” “Matiex” and “njRat,” where “Azurult” and “njRAT” have a noticeable reuse rate.
Figure 10: Dictionary-based payload classification and (re-)usage of samples with trimmed hashes.
Phishing simulations & training
Detection and action
New techniques to bypass EDR and AV are being developed by criminals to execute their malware. Using this new method of creating malicious Office documents can reduce detection mechanisms to execute the next stage, which is often a PowerShell script that can be executed into the memory without touching the disk.
Blocking and detection of these types of novelties, such as the maldoc creation described in this article, enables organizations to respond quickly to incidents. Some measures can be taken to prevent the exploration of these kinds of scenarios:
- Train users to be aware of potential social engineering and how to handle them the right way
- Ensure that software, applications and systems are up to date
- Use endpoint protection solutions and updated antivirus to prevent malicious infections
- Use vulnerability management and monitoring systems to identify potential unpatched flaws, and to detect incidents in real time
- Perform cybersecurity audits and mitigate any weaknesses discovered to prevent attacks in the wild, both external and internal
Sources
Epic Manchego, NVISO Labs
.NET library to bypass AV, ZDNet
In this Series
- Malicious Excel attachments bypass security controls using .NET library
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
