.NET Library Excel Documents Bypass Security Checks

A recently discovered malware family called Epic Manchego uses a clever trick to create malicious MS Excel files with minimal detection rates and an increased likelihood of bypassing security systems. By examining the security evasion methods used by attackers, you can understand what top-priority measures should be taken to protect systems from these types of attacks.

---

Description of the threat

"" 2020 , Excel. , . , , . "Have I Been Pwned?" , , , .

NVISO, " VirusTotal 200 , 27 , . , (, VPN)".

, , , , , .

, , , , , , , , .

Epic Manchego

Office , , 4.

Microsoft Office Microsoft Office Excel, .NET EPPlus. Excel, .

4 drawing1.xml ( ) name="VBASampleRect» EPPLUS Wiki (), .

, .

. , VBA , .

VBA-, , VBA . VBA (IDE) VBA.

DPB , , Office PowerShell.

PowerShell .

NVISO Labs, VBA, PowerShell, ActiveX, .

 

VBA - . , , (). DLL. DLL , , , , .

NVISO Labs, " , , , ".

, " ( ) ".

— , .

( 50 % ) AZORult, , . AgentTesla, Formbook, Matiex njRat, Azorult njRAT .

(EDR) (AV). Office . PowerShell, .

(maldoc), , . :

• , , .

  
  
  
  
  

• , .

  
  
  
  
  

• (Endpoint Protection) .

  
  
  
  
  

• .

  
  
  
  
  

• — , , .

  
  
  
  
  

— , .

, :

• Data Scientist

  
  
  
  
  

• Data Analyst

  
  
  
  
  

• Data Engineering

  
  
  
  
  

• Fullstack- Python

  
  
  
  
  

• Java-

  
  
  
  
  

• QA- JAVA

  
  
  
  
  

• Frontend-

  
  
  
  
  

• 
  
  
  
  

• C++

  
  
  
  
  

• Unity

  
  
  
  
  

• -

  
  
  
  
  

• iOS-

  
  
  
  
  

• Android-

  
  
  
  
  

• Machine Learning

  
  
  
  
  

• "Machine Learning Deep Learning"

  
  
  
  
  

• " Data Science"

  
  
  
  
  

• " Machine Learning Data Science" 

  
  
  
  
  

• "Python -"

  
  
  
  
  

• " "

  
  
  
  
  

• 
  
  
  
  

• DevOps

  
  
  
  
  

:

• Epic Manchego, NVISO Labs.

  
  
  
  
  

• .NET , ZDNet.