Published on April 1st, 2020 📆 | 3054 Views ⚑0
LimeRAT malware is being spread through VelvetSweatshop Excel encryption technique
A new campaign is spreading the LimeRAT Remote Access Trojan by harnessing an old encryption technique in Excel files.
LimeRAT is a simple Trojan designed for Windows machines. The malware is able to install backdoors on infected machines and encrypt files in the same way as typical ransomware strains, add PCs to botnets, and install cryptocurrency miners.
See also: This Trojan hijacks your smartphone to send offensive text messages
In addition, the modular Trojan can spread through connected USB drives, uninstall itself if a virtual machine (VM) is detected — a typical practice for security researchers attempting to reverse-engineer malware — lock screens, and steal a variety of data which is then sent to a command-and-control (C2) server via AES encryption.
In a new campaign observed by Mimecast, the Trojan is being hidden as a payload in read-only Excel documents spread via phishing emails. Researchers said in a blog post on Tuesday that the Excel documents are read-only — rather than locked — which encrypts the file without making a user type in a password.
To decrypt the file, on open, Excel will attempt to use an embedded, default password, “VelvetSweatshop,” which was implemented years ago by Microsoft programmers. If successful, this decrypts the file and allows onboard macros and the malicious payload to launch, while also keeping the document read-only.
Usually, if decryption through VelvetSweatshop fails, then users are required to submit a password. However, read-only mode bypasses this step, thereby reducing the steps required to compromise a Windows machine.
“The advantage of the read-only mode for Excel to the attacker is that it requires no user input, and the Microsoft Office system will not generate any warning dialogs other than noting the file is read-only,” the researchers say.
The new campaign designed to spread LimeRAT makes use of this technique, which was first spotted back in 2013 and presented at a Virus Bulletin conference. In order to pull off a successful attack, the hardcoded password — assigned as CVE-2012-0158 — is exploited.
It is worth noting this issue was addressed a long time ago; however, Sophos notes (.PDF) that the vulnerability has continued to be exploited over the years in a case deemed “remarkable.”
Mimecast says the cyberattackers also use a “blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload.”
Microsoft has been made aware that the vulnerability is once again in use.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0