A new gang of cybercriminals have adopted a new ugly trick to compromise the security of internet users. A malware gang has been discovered very recently, which is taking refuge of a .NET library to create Excel docs. These Excel documents are not any normal Excel spreadsheets. These Excel docs are bypassing the security checks and have reportedly the lowest detection rate. As a result, this malware gang has a greater chance of penetrating the security boundaries.
This security gang has been identified by researchers at NVISO Labs. The malware gang has been coined the name Epic Manchego. Epic Manchego is primarily targeting email users and the malware gang is active since June of this year. Epic Manchego is generating a fake Excel file not developed by Microsoft Office but by a .NET library called EPPLUS. EPPLUS. NET library is often used by developers to add functions such as “Save As Spreadsheet”, “Export as Excel”. EPPLUS is a widely used by developers for creating different spreadsheet formats. The malware gang has used this library to create spreadsheet files in the Office Open XML (OOXML) format. The only thing that differentiates is the absence of a section of compiled VBA code is exclusive to the Excel documents compiled in Microsoft’s proprietary Office software.
Most antivirus and virus scanners of email clients looks out for the compiled VBA code, which is exclusive to the proprietary owner. With Epic Manchego, this malware has the lowest detection rate compared with other malicious Excel spreadsheets.
Epic Manchego is targeting all major companies across the world with their humongous collection of phishing emails with malicious Excel spreadsheets inside them. NVISO researchers are delving deep into the issue. “We are familiar with this .NET library, as we have been using it since a couple of years to create malicious documents (“maldocs”) for our red team and penetration testers,” the company said.