• Admin

Epic Manchego Creates Epic Malware Using Macros

Published: October 21, 2020 on our newsletter Security Fraud News & Alerts Newsletter.



NVISO Labs have recently identified a new threat actor which they’ve given and very cool name, Epic Manchego. The group appears to be experimenting with a new technique for creating malware that uses the .NET library EPPlus to generate malicious Excel spreadsheets in Office Open XML format.


By using this method for development, the group ensures that VBA code present in Microsoft’s Office software is missing, giving it a low detection rate and an increased chance of avoiding security systems.


That is why providing awareness training to employees and staff is critical. By making everyone aware of the latest phishing attacks and malware, intrusions can be significantly mitigated. Many messages get past the filtering products. It’s up to the recipient of the messages to make the call if a document is suspicious and potentially unsafe to click.



The malicious Excel documents (also called maldocs) contain a macro script, that if opened and enabled, can download and install harmful malware on to the victim’s system.


It’s advised not enabling macros on any system and avoid activating them at all, unless you created the macro or know who did. In newer versions of Microsoft Office, macros are disabled by default, but many older versions are out there that still have them enabled. If you are not sure how to disable macros, get some help from management or the IT department.


It is alleged that Epic Manchego is continuing to experiment with this particular technique and it’s likely that more, and perhaps changed, instances of malware will appear in the future. And there is no telling what evolved versions will do.


Many organizations currently rely on Office macros for day-to-day business functions, including where they’re used to interact with external partners. Organizations that are still using macros should develop a strategy for replacing them and educate users not to enable them unless they know what the macros will do.


Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at advisor@nadicent.com

1 view0 comments