LimeRAT malware delivered using 8-year-old VelvetSweatshop trick

Researchers spotted a campaign using Excel files to spread LimeRAT malware using the 8-year-old and well-known VelvetSweatshop bug.

Researchers at the Mimecast Threat Center spotted a new campaign using Excel files to spread LimeRAT malware using the 8-year-old VelvetSweatshop bug.

LimeRAT is a powerful Remote Administration Tool publicly available as an open-source project on Github, it could be used by attackers to take over an infected system and install other malicious payloads.

Attackers behind this campaign are creating read-only Excel files that embed the LimeRAT payload, then send them to the potential victims.

In malspam attacks, attackers could encrypt the Excel file by setting up a password, then when the victims receive the email, hackers trick them into opening the attachment using a password included in the content of the message.

The process could be automated using the default VelvetSweatshop password used by Excel to protect the files that have been sent in read-only mode.

The presence of the ‘VelvetSweatshop’ hardcoded password is known since 2012 and it is tracked as CVE-2012-0158.

To decrypt an encrypted file in read-only mode, Excel first attempts to use the embedded, default password, “VelvetSweatshop.” Excel attempts to decrypt and open the file and run any macros it contains. Microsoft Office system will not generate a warning dialog to notify the user that the file is read-only.

If it fails to decrypt the file using the “VelvestSweatshop” password, Excel will request that the user provide a password.

Summarizing, using an Excel file read-only the attackers don’t need any action from the victims, then just need to double-click the file without providing any password.

“Recently, Mimecast threat intelligence researchers came across a campaign which used this Excel VelvetSweatshop encryption technique to deliver LimeRAT, a malicious remote access trojan.” reads the analysis published by the experts.

“In this specific attack, the cybercriminals also used a blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload.”

Mimecast experts also pointed out that threat actors behind this campaign used other techniques in an attempt to evade detection, such as encrypting the content of the spreadsheet hence hiding the exploit and payload.

Researchers believe that other threat actors could use the VelvetSweatshop technique to deliver weaponized Excel files that attempt to infect the victims with verious malware.

Mimecast recommended close scrutiny of any email with files attached, the use of an email security system with advanced malware protection capabilities, monitoring network traffic for outbound connections to likely command-and-control (C2) services, and continuously updating endpoint security systems.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – LimeRAT, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]