LimeRAT malware is being spread through VelvetSweatshop Excel encryption technique

The old tactic is proving fruitful in a new campaign.
Written by Charlie Osborne, Contributing Writer

A new campaign is spreading the LimeRAT Remote Access Trojan by harnessing an old encryption technique in Excel files. 

LimeRAT is a simple Trojan designed for Windows machines. The malware is able to install backdoors on infected machines and encrypt files in the same way as typical ransomware strains, add PCs to botnets, and install cryptocurrency miners. 

See also: This Trojan hijacks your smartphone to send offensive text messages

In addition, the modular Trojan can spread through connected USB drives, uninstall itself if a virtual machine (VM) is detected -- a typical practice for security researchers attempting to reverse-engineer malware -- lock screens, and steal a variety of data which is then sent to a command-and-control (C2) server via AES encryption. 

In a new campaign observed by Mimecast, the Trojan is being hidden as a payload in read-only Excel documents spread via phishing emails. Researchers said in a blog post on Tuesday that the Excel documents are read-only -- rather than locked -- which encrypts the file without making a user type in a password. 

To decrypt the file, on open, Excel will attempt to use an embedded, default password, "VelvetSweatshop," which was implemented years ago by Microsoft programmers. If successful, this decrypts the file and allows onboard macros and the malicious payload to launch, while also keeping the document read-only. 

CNET: Using Zoom while working from home? Here are the privacy risks to watch out for

Usually, if decryption through VelvetSweatshop fails, then users are required to submit a password. However, read-only mode bypasses this step, thereby reducing the steps required to compromise a Windows machine. 

"The advantage of the read-only mode for Excel to the attacker is that it requires no user input, and the Microsoft Office system will not generate any warning dialogs other than noting the file is read-only," the researchers say. 

TechRepublic: FBI warns about Zoom bombing as hijackers take over school and business video conferences

The new campaign designed to spread LimeRAT makes use of this technique, which was first spotted back in 2013 and presented at a Virus Bulletin conference. In order to pull off a successful attack, the hardcoded password -- assigned as CVE-2012-0158 -- is exploited. 

It is worth noting this issue was addressed a long time ago; however, Sophos notes (.PDF) that the vulnerability has continued to be exploited over the years in a case deemed "remarkable." 

Mimecast says the cyberattackers also use a "blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload."

Microsoft has been made aware that the vulnerability is once again in use.

Europol’s top hacking ring takedowns

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards