Hackers are using malicious Excel documents to steal user information: Report

Cybercriminals are using malicious Excel documents known as ‘maldocs’, to steal user information accounting to security researchers at NVISO Labs.

According to a detailed analysis published by researchers at NVISO Labs, a malware gang named Epic Manchego has been targeting companies across the globe with phishing emails containing malicious Excel documents.

“In July 2020, NVISO detected a set of malicious Excel documents, also known as “maldocs”, that deliver malware through VBA-activated spreadsheets,” read the report.

Hackers create these documents through a .NET library called EPPlus rather than Microsoft Office, which makes it more difficult to detect.

“The creators of the malicious Excel documents used a technique that allows them to create macro-laden Excel workbooks, without actually using Microsoft Office. As a side effect of this particular way of working, the detection rate for these documents is typically lower than for standard maldocs,” the report read.

Hackers are using EPPlus to generate spreadsheet files in the Office Open XML (OOXML) format.

The document contains macros that can steal user information if executed. When a user opens the Excel files and clicks on the ‘Enable editing’ button, it allows the script to execute. It then downloads and installs malware on users’ systems.

The final payloads include infostealer trojans such Azorult, AgentTesla, Formbook, Matiex, and njRat.

“The payloads that have been observed up to the date of the release of this post, have been, for the most part, so called information stealers with the intention of harvesting passwords from browsers, email clients,” the report said.

Researchers further advised users to carefully vet scuh documents received from sources outside work and to “implement robust endpoint detect and respond defenses” to prevent attacks.