A fresh campaign was found to be using an 8-year-old VelvetSweatshop bug in Excel files to spread LimeRAT malware. It was found by the security researchers at the Mimecast Threat Center.
LimeRAT which is a powerful Remote Administration Tool is available as an open-source project on Github. This could be used by the hackers to take control of any infected system and install other malicious payloads.
The attackers create a read-only Excel files in which h the LimeRAT payload is embedded and is send to the potential victims.
It is easy for an attacker to encrypt the Excel file by setting up a password and when the victims receive the email, they can be tricked by the attackers to open the attachment using a password included in the message.
This technique can be automated using the default VelvetSweatshop password used by Excel to protect the files that have been sent in read-only mode.
However, the presence of the ‘VelvetSweatshop’ hardcoded password is known since 2012 and it is tracked as CVE-2012-0158.
In order to decrypt an encrypted file in read-only mode, Excel first tried to use the embedded, default password, “VelvetSweatshop.” Excel attempts to decrypt and open the file and run any macros in it and the Microsoft Office system will not give any warning notification to the user that the file is read-only.
When it does not succeed in decrypting the file using “VelvestSweatshop” password, Excel will request the user to provide another password.
But the victim need not have to do anything, the attacker has to just double-click the file without providing any password.
Mimecast threat intelligence researchers came across a campaign in which Excel VelvetSweatshop encryption technique was used to deliver LimeRAT malware.
In this technique, the attackers also use several other techniques to trick anti-malware systems by encrypting the content of the spreadsheet, thereby hiding the exploit and payload.
According to researchers, it is possible for the cyber criminals to use the VelvetSweatshop method to deliver weaponized Excel files that can infect the victims with various malware.
All users are highly recommended to be vigilant when you receive any emails with attachments, make use of email security system with advanced malware protection capabilities.