Malicious Excel attachments bypass security controls using .NET library

A recent threat group called Epic Manchego is using a new technique to create Excel files to bypass antivirus (AV) and and get low detection rates. By exploring how criminals are evading security systems, we can provide some general steps to take to protect systems against these types of attacks.

Threat overview

Epic Manchego has been active since June 2020, targeting companies across the globe with phishing emails containing malicious Excel documents. To bypass email spam folders and spam mechanisms, criminals are sending phishing emails from legitimate company accounts, probably obtained from public data breaches. They confirm if any emails have been compromised using the “Have I Been Pwned?” service, or simply by compromising email accounts before starting the malicious activity.

Figure 1: Phishing email template from Epic Manchego campaign.

According to NVISO, “the public submissions of the maldocs through VirusTotal, we clustered over 200 documents, which allowed us to rank 27 countries by submission count without differentiating between uploads possibly performed through VPNs.”

As observed, areas such as the United States, Czech Republic, France, Germany and China are targeted regions found during the research.

Figure 2: Target regions observed during the threat analysis using VirusTotal.


Read More: