Malware gang uses .NET library to generate Excel docs that bypass security checks

Systems running the Windows 10 Anniversary Update were protected from 2 exploits even prior to Microsoft had actually provided patches for them, its researchers have discovered.

A freshly discovered malware gang is utilizing a clever trick to produce destructive Excel files that have low detection rates and a greater chance of averting security systems.

Discovered by security researchers from NVISO Labs, this malware gang —– which they called Impressive Manchego —– has been active since June, targeting companies all over the world with phishing emails that bring a destructive Excel document.

But NVISO said these weren’t your basic Excel spreadsheets. The destructive Excel files were bypassing security scanners and had low detection rates.

Destructive Excel files were put together with EPPlus

According to NVISO, this was since the files weren’t compiled in the standard Microsoft Office software application, however with a.NET library called EPPlus.

Developers usually utilize this library part of their applications to include “Export as Excel” or “Save as spreadsheet” functions. The library can be utilized to create files in a wide range of spreadsheet formats, and even supports Excel 2019.

NVISO says the Impressive Manchego gang appears to have used EPPlus to produce spreadsheet files in the Office Open XML (OOXML) format.

The OOXML spreadsheet files produced by Impressive Manchego did not have a section of compiled VBA code, particular to Excel documents assembled in Microsoft’s exclusive Office software application.

Some anti-virus products and e-mail scanners specifically try to find this portion of VBA code to look for possible indications of malicious Excel docs, which would discuss why spreadsheets generated by the Epic Manchego gang had lower detection rates than other destructive Excel files.

This blob of assembled VBA code is normally where an enemy’s destructive code would be saved. This doesn’t indicate the files were clean. NVISO says that the Impressive Manchego simply kept their destructive code in a custom-made VBA code format, which was also password-protected to avoid security systems and scientists from evaluating its content.

But in spite of using a different approach to create their malicious Excel files, the EPPlus-based spreadsheet files still worked like any other Excel file.

Active considering that June

The harmful files (likewise called maldocs) still included a destructive macro script. If users who opened the Excel files permitted the script to carry out (by clicking the “Enable modifying” button), the macros would download and set up malware on the victim’s systems.

The last payloads were traditional infostealer trojans like Azorult, AgentTesla, Formbook, Matiex, and njRat, which would dump passwords from the user’s web browsers, e-mails, and FTP clients, and sent them to Legendary Machengo’s servers.

While the decision to use EPPlus to produce their malicious Excel files might have had some benefits, in the start, it also ended up harming Impressive Manchego in the long run, as it enabled the NVISO team to very easily detect all their past operations by looking for odd-looking Excel documents.

In the end, NVISO said it discovered more than 200 destructive Excel files linked to Impressive Manchego, with the very first one dating back to June 22, this year.


NVISO states this group appears to explore this method and considering that the very first attacks, they have increased both their activity and the sophistication of their attacks, suggesting this may see wider usage in the future.

NVISO scientists weren’t completely surprised that malware groups are now using EPPlus.

“We are familiar with this.NET library, as we have been using it given that a couple of years to develop harmful documents (“maldocs”) for our red group and penetration testers,” the company stated.