Researchers have discovered a fresh campaign using Excel files to spread LimeRAT malware – making use of the hardcoded, VelvetSweatshop default password for encrypted files.
LimeRAT is a full-featured remote access tool/backdoor that can allow attackers to access an infected system and install a range of malware strains, like ransomware, cryptominers, keyloggers or botnet clients.
In the observed campaign, threat actors are creating read-only Excel files containing a LimeRAT payload. Typically in malspam scenarios involving Excel files, the files are encrypted and the recipient would need to use a password to decrypt the file. That password is usually included by an attacker in the body of a socially engineered email.
The new attack however, uses a different tack—it sends malicious, encrypted Excel files using “read-only” mode, according to Mimecast Threat Center’s Matthew Gardiner, writing in a Tuesday
blog post about the research.
To decrypt any given encrypted Excel file, Excel first tries to use an embedded, default password, “VelvetSweatshop,” to decrypt and open the file and run any onboard macros or other potentially malicious code. At the same time, it keeps the file in read-only mode, the researcher explained.
If Excel fails to decrypt the file using the “VelvestSweatshop” password, the app will request that the user insert a password. However, in read-only mode, this step is skipped, Gardiner said – and therein lies the new campaign’s threat.
“The Microsoft Office system will not generate any warning dialogs other than noting the file is read-only,” he wrote in the post. “Using this read-only technique, the attacker can reap the obfuscation benefits of file encryption without requiring anything further from the user, taking away one step required of the intended victim for exploitation to occur.”
“This new research demonstrates that making an Excel file read-only — as opposed to locking it — encrypts the file without the need for an external created password to open it, making it easier to fool a victim into installing the malware,” wrote Gardiner.
