Malicious Excel attachments bypass security controls using .NET library

A recent threat group called Epic Manchego is using a new technique to create Excel files to bypass (AV) and and get low detection rates. By exploring how criminals are evading security systems, we can provide some general steps to take to protect systems against these types of attacks.

Threat overview

Epic Manchego has been active since June 2020, targeting companies across the globe with emails containing malicious Excel documents. To bypass email spam folders and spam mechanisms, criminals are sending phishing emails from legitimate company accounts, probably obtained from public breaches. They confirm if any emails have been compromised using the “Have I Been Pwned?” service, or simply by compromising email accounts before starting the malicious activity.

Figure 1: Phishing email template from Epic Manchego campaign.

According to NVISO, “the public submissions of the maldocs through VirusTotal, we clustered over 200 documents, which allowed us to rank 27 countries by submission count without differentiating between uploads possibly performed through VPNs.”

As observed, areas such as the United States, Czech Republic, France, and China are targeted regions found during the .

Figure 2: Target regions observed during the threat using VirusTotal.


Read More: