.NET Library Excel Documents Bypass Security Checks
A recently discovered malware family called Epic Manchego uses a clever trick to create malicious MS Excel files with minimal detection rates and an increased likelihood of bypassing security systems. By examining the security evasion methods used by attackers, you can understand what top-priority measures should be taken to protect systems from these types of attacks.
Description of the threat
The malware family has been “running” since June 2020 and has been targeting organizations around the world using phishing emails containing a modified Excel file. To prevent phishing messages from ending up in spam folders and preventing spam clipping mechanisms from working against them, cybercriminals send their emails from the official accounts of organizations. The credentials of such organizations, as a rule, fall into the hands of attackers as a result of hacking. Attackers using the “Have I Been Pwned?” check if email accounts have been compromised or simply hack such records before proceeding with malicious mailing.
According to NVISO, “About 200 malicious documents were passed through VirusTotal, and a list of 27 countries was compiled, ranked by the number of documents sent. The list did not distinguish how such files were downloaded (possibly via a VPN).”
The study found that countries such as the United States of America, the Czech Republic, France, Germany and China are at the highest risk of sending malicious files.
After analyzing the documents sent to the target regions, letter templates were identified, the sources of which were different countries, which, in particular, is indicated by the inscriptions in English, Spanish, Chinese and Turkish.
How Epic Manchego works
Some Office documents that you distribute contain drawn shapes, such as rectangles, as shown in Figure 4.
Malicious Microsoft Office documents are not created through Microsoft Office Excel, but using the .NET library EPPlus… Since such documents are not standard Excel documents, they can be masked and bypass security mechanisms.
The document in Figure 4 contains a drawing1.xml object (rounded rectangle) named name = “VBASampleRect” and was created using the EPPLUS Wiki source code (right), as shown below.
If you open the document macro window, there will be no macros in it.
Nevertheless, the malicious code exists and is also password protected. It is interesting to note that this VBA code is not encrypted at all, but in plaintext.
When opening a document with a password-protected VBA project, VBA macros will run without a password. The password is only required to view the VBA project inside the VBA integrated development environment (IDE).
If you modify the DPB string or decrypt the password, you can see that when the malicious Office file is run on the victim’s computer, the PowerShell payload is launched and executed.
The screenshot below demonstrates the launch of the PowerShell payload during infection.
According to research by NVISO Labs, either PowerShell objects or ActiveX objects are used to load the payload in VBA code, depending on the type of original malware.
Analysis of the final stage of the malware
In the second step, the payload is downloaded from various Internet sites via malicious VBA code. Each executable file created by the corresponding malicious document and launched at the second stage acts as a virus carrier (dropper) for the final payload. After that, the second step also loads the malicious DLL file. This DLL component generates additional parameters and payload for the third stage, after which it launches the final payload for execution, which, as a rule, steals information.
As the researchers from NVISO Labs note, “despite the fact that the above data obfuscation scheme is used by many malicious programs, we see how it gets more complicated, so there is a possibility of using more sophisticated techniques.”
In addition, “a common factor in the second stage of infection is the use of steganography methods (that is, secret transmission of information by concealing the very fact of transmission) in order to mask malicious intent.”
After that, the last step is performed – several classic Trojans are launched, and the victim’s devices are completely compromised.
Most often (in more than 50% of cases), the malicious program AZORult is installed on the victim’s computer, stealing personal data of users, programs for stealing information are called info-stealers. Other payloads can be AgentTesla, Formbook, Matiex and njRat trojans, with Azorult and njRAT having a high level of reuse.
Detection and actions
Attackers are coming up with new methods to bypass threat detection and endpoint response (EDR) and anti-virus software (AV) to launch malware. With the new way of generating malicious Office documents, threat detection mechanisms must prevent malware from advancing to the next stage. Often times, this step runs a PowerShell script that can run in memory without accessing disk.
Detecting and blocking new ways of infection by creating malicious documents (maldoc), one of which is described in this article, will allow organizations to quickly respond to incidents. To prevent this kind of attacks, it is recommended to take the following measures:
Warn users that they can become objects of social engineering, and teach them how to behave correctly in cases of attacks.
Regularly update software, applications and systems to the latest versions.
Use endpoint protection solutions and updated antivirus software to prevent malware infection.
Use vulnerability management and monitoring systems to identify potential unresolved vulnerabilities and incidents in real time.
Check information security systems for new attacks, both external and internal, and immediately eliminate vulnerabilities in any identified bottlenecks.
And if the field of information security is close to you, then you can turn your attention to our special course Ethical hacker, in which we teach students to look for vulnerabilities even in the most reliable systems and make money on it.
find outhow to level up in other specialties or master them from scratch:
Other professions and courses
Epic manchego, NVISO Labs.