26 October 2020

tl;dr: Create a macro-enabled Excel workbook using the .NET library EPPlus to bypass some A/V detection. We created Hot Manchego to help pen testers / red teamers build VBA-enabled Excel workbooks using EPPlus.

A couple weeks ago, NVISO Labs released a detailed analysis of a threat actor (or security researcher) uploading malicious VBA-filled Excel workbooks on VirusTotal. If you haven’t readNVISO’s post on Epic Manchego, please read it first. It’ll go into much greater detail than this post.

Typically, when we create Excel workbooks, we open up Microsoft Excel, do our thing, and then save the file. Surprisingly, the files uploaded to Virus Total, appeared to have not been made using the Microsoft Excel application. Instead, NVISO believes the malicious documents (maldocs), were created programmatically using a .NET library called EPPlus.

If you’re like me, I had never heard of EPPlus until NVISO’s post, so I spent some time with the documentation and sample code. It’s actually a super useful utility that could help automate the creation of malware droppers for use on red team assessments. I’d recommend starting off by testing with version 4 of EPPlus, since version 5 is now owned by a company and involves licensing for commercial purposes.

So, why do we care about EPPlus? When you create an Excel workbook using EPPlus, the underlying XML file structure looks different than the XML structure of a workbook created using the official Microsoft Excel application. Again, see NVISO’s post for greater detail, but two key elements jump out as a reason EPPlus could be used to bypass certain A/V signatures.

First, EPPlus-generated files do not contain metadata. Typically, when you generate an Excel workbook via the official Microsoft Excel application, a folder named “docProps” is created within the xlsx (or xlsm) file structure. That folder contains the workbook metadata.

When you create an Excel workbook with the exact same content using EPPlus, that folder is not created.

Second, when you add VBA to an Excel workbook via the Microsoft Excel application, it compiles the VBA code and saves it in a file called vbaProject.bin. Since EPPlus doesn’t have access to Microsoft’s algorithm to compile the VBA code, it simply compresses the VBA code. As a result, the vbaProject.bin files look quite different (compiled vs. compressed).

These two differences, along with others mentioned in NVISO Lab’s research, most likely explain why our VBA-enabled Excel Worksheet (armed with a simple LOLBAS payload) only triggered 3 A/V engines on VirusTotal.

While is this not a revolutionary A/V bypass, when it comes to maldocs, any little edge we can get when trying to gain initial access into our customers’ environments is worth some research.We spent a few hours figuring out how to use EPPlus and created a small utility for other red teams and pen testers to use EPPlus (version 4) to generate VBA-enabled Excel workbooks.

Out of respect to NVISO’s blog post titled “Epic Manchego”, we’ve named the utility “Hot Manchego”, and it’s currently available on GitHub.

If you’re interested in learning more about FortyNorth’s perspective on offensive maldocs, check out a webinar with did with BlackHills Information Security and Wild West Hackin’ Fest or sign up for our Initial Access Operations class.

Written by: Joe Leon