Operation Epic Manchego

Description

(NVISIO) In July 2020, NVISO detected a set of malicious Excel documents, also known as “maldocs”, that deliver malware through VBA-activated spreadsheets. While the malicious VBA code and the dropped payloads were something we had seen before, it was the specific way in which the Excel documents themselves were created that caught our attention.

The creators of the malicious Excel documents used a technique that allows them to create macro-laden Excel workbooks, without actually using Microsoft Office. As a side effect of this particular way of working, the detection rate for these documents is typically lower than for standard maldocs.

Names

Name	Name-Giver
Operation Epic Manchego	NVISO

Country

• Unknown

Motivation

• Information theft and espionage

First Seen

2020

Observed Countries

• Bulgaria
• Canada
• China
• Czech
• France
• Germany
• Hungary
• Italy
• Japan
• Malaysia
• Netherlands
• Poland
• Romania
• South Korea
• Sweden
• UK
• Ukraine
• Uruguay
• USA
• Vietnam

Tools

• Agent Tesla
• AZORult
• Formbook
• Matiex
• njRAT

Information

• https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/

Other Information

Uuid

f3b26faa-9b21-4401-8448-67b9c636c16f

Last Card Change

2020-09-17