Hacker Generates Fake Excel Docs to Bypass Security Experts

A group of hackers was newly unearthed to have created an illegal way of getting through security checks. They use a malicious but brilliant trick to generate harmful excel files. These files are quite difficult to be seen by security checks and can easily evade security.

Security researchers from NVISO Labs are being credited for this groundbreaking discovery. Code-named Epic Manchego – the malware gang was formed in June and has been active ever since. They specialize in targeting companies across the globe by sending phishing emails accompanied by an infected Excel document.

However, official reports from NVISO stated that these documents are not your typical Excel spreadsheets . These harmful Excel files can bypass security scanners. Furthermore, they also have low rates of detection. The files were created using EPPlus.

Based on an official statement from NVISO, this was possible since the documents were never generated with the traditional Microsoft Office suite . Instead, they got created with the .NET library known as EPPlus.

For developers, they naturally use this library function from their system application to add specific functions like “Save as spreadsheet” or “Export as Excel.” This library is useful in generating files in various spreadsheet categories.

It also supports the 2019 version of Excel. NVISO further st1ted that it seems that the infamous gang created spreadsheet files with EPPlus by using the OOXML (Office Open XML) format.

It happened that these OOXML files do not have some parts of the compiled VBA code, which are exclusive to Excel files created with Microsoft Office suite.

Specific antivirus tools and email-based scanners exclusively look out of this part of the VBA code to detect probable signs of harmful Excel files. This scenario is why Excel files created by the hackers could not easily be discovered compared to other harmful Excel files.

Compiled VBA code contains specific segments where the harmful code from the attackers are stored. But, this is no indication that the files were not harmful.

NVISO reported that the gang created an exclusive VBA code format and stored their harmful code in it. It also said that the VBA code format is protected with a password to avoid the content being analyzed by researchers and security systems.

However, even though the gang had used another method to create this harmful Excel file, the spreadsheet created through EPPlus still worked like a standard Excel file.

These harmful files, also known as maldocs, also contained a harmful macro script. When unsuspecting users who open up the Excel files enable the script to be run (when they click on the “Enable editing” key), the macros in the system will download malware and install it on victims’ systems.

Finally, you get the final payloads: natural information thieves like AgentTesla, njRat, Matiex, Formbook, and Azorult. These info stealers would retrieve passwords from victims emails, FTP clients, and emails and send them over to servers owned by Epic Machengo.

Whereas the choice to generate their harmful Excel documents with EPPlus may have initially yielded some benefits of the criminal gang , this decision also ended up harming the gang in the long-term. The EPPlus made it easy for NVISO to effortlessly find all previous hacking operations by finding Excel documents that looked odd.

At the end of the searching exercise, NVISO said that they found over 200 harmful Excel files connected to the evil gang, while the first file was traced back to the 22nd of June, 2020.

There is a possibility that Epic Manchego is still at the experimentation stage of their new technique. Ever since they first attacked with it, their activity has been increased, and the attack method has undoubtedly evolved. This points to the fact that it could be widely used in the future to commit even bigger cybercrimes.

In the final round of events, NVISO eventually admitted that they are aware of the EPPlus tool. They said they were also used to create harmful files (maldocs) for their penetration testers and red team.

The funny thing here is that they looked like Excel documents. However, they are not your average Excel documents. These appear real enough to trick security systems, however.

What seems to be an unexpected occurrence is now being used by malicious persons to bypass security systems and gain illegal access.