Researchers at the Mimecast Threat Center spotted a new campaign using Excel files to spread LimeRAT malware using the 8-year-old VelvetSweatshop bug.
LimeRAT is a powerful Remote Administration Tool publicly available as an open-source project on Github, it could be used by attackers to take over an infected system and install other malicious payloads.
Attackers behind this campaign are creating read-only Excel files that embed the LimeRAT payload, then send them to the potential victims.
The process could be automated using the default VelvetSweatshop password used by Excel to protect the files that have been sent in read-only mode.
The presence of the ‘VelvetSweatshop’ hardcoded password is known since 2012 and it is tracked as CVE-2012-0158.
To decrypt an encrypted file in read-only mode, Excel first attempts to use the embedded, default password, “VelvetSweatshop.” Excel attempts to decrypt and open the file and run any macros it contains. Microsoft Office system will not generate a warning dialog to notify the user that the file is read-only.
If it fails to decrypt the file using the “VelvestSweatshop” password, Excel will request that the user provide a password.
Summarizing, using an Excel file read-only the attackers don’t need any action from the victims, then just need to double-click the file without providing any password.
“Recently, Mimecast threat intelligence researchers came across a campaign which used this Excel VelvetSweatshop encryption technique to deliver LimeRAT, a malicious remote access trojan.” reads the analysis published by the experts.
“In this specific attack, the cybercriminals also used a blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload.”
Mimecast experts also pointed out that threat actors behind this campaign used other techniques in an attempt to evade detection, such as encrypting the content of the spreadsheet hence hiding the exploit and payload.
Researchers believe that other threat actors could use the VelvetSweatshop technique to deliver weaponized Excel files that attempt to infect the victims with verious malware.
Mimecast recommended close scrutiny of any email with files attached, the use of an email security system with advanced malware protection capabilities, monitoring network traffic for outbound connections to likely command-and-control (C2) services, and
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.