Researchers have discovered a fresh campaign using Excel files to spread LimeRAT malware – making use of the hardcoded, VelvetSweatshop default password for encrypted files.
LimeRAT is a full-featured remote access tool/backdoor that can allow attackers to access an infected system and install a range of malware strains, like ransomware, cryptominers, keyloggers or botnet clients.
In the observed campaign, threat actors are creating read-only Excel files containing a LimeRAT payload. Typically in malspam scenarios involving Excel files, the files are encrypted and the recipient would need to use a password to decrypt the file. That password is usually included by an attacker in the body of a socially engineered email.
The new attack however, uses a different tack—it sends malicious, encrypted Excel files using “read-only” mode, according to Mimecast Threat Center’s Matthew Gardiner, writing in a Tuesday blog post about the research.
To decrypt any given encrypted Excel file, Excel first tries to use an embedded, default password, “VelvetSweatshop,” to decrypt and open the file and run any onboard macros or other potentially malicious code. At the same time, it keeps the file in read-only mode, the researcher explained.
If Excel fails to decrypt the file using the “VelvestSweatshop” password, the app will request that the user insert a password. However, in read-only mode, this step is skipped, Gardiner said – and therein lies the new campaign’s threat.
“The Microsoft Office system will not generate any warning dialogs other than noting the file is read-only,” he wrote in the post. “Using this read-only technique, the attacker can reap the obfuscation benefits of file encryption without requiring anything further from the user, taking away one step required of the intended victim for exploitation to occur.”
This makes it even easier for unsuspecting victims to open them and spread malware.
“This new research demonstrates that making an Excel file read-only — as opposed to locking it — encrypts the file without the need for an external created password to open it, making it easier to fool a victim into installing the malware,” wrote Gardiner.
In the current campaign, Mimecast researchers also said that the cybercriminals used “a blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload,” Gardiner added.
The hardcoded password is a well-known issue addressed in 2012 (CVE-2012-0158) that was also presented at Virus Bulletin in 2013. Mimecast said it has notified Microsoft that the vulnerability is once again being used.
Microsoft Office applications like Excel files are a popular means for malware delivery due to their widespread use and recognizability, according to Mimecast. “Certainly, few are ever surprised to receive invoices or financial spreadsheet attachments via email,” Gardiner wrote.
It’s unlikely that LimeRAT will be the only payload distributed using this tactic: “Of course, given the general capability inherent with this Excel-based malware delivery technique, any type of malware is a good candidate for delivery, so Mimecast researchers expect to see it used in many more malicious phishing campaigns in the future,” Gardiner observed.
To avoid being the victim of such an attack, Mimecast recommended close scrutiny of all emails with files attached, as well as, on an administrative level, monitoring network traffic for outbound connections to likely command-and-control (C2) services. Also, continuously updating endpoint security systems to bolster detection of malware loading or running on the host also can mitigate attacks, Mimecast said.
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.