A new campaign has been discovered which is leveraging Excel files encrypted using the default password “VelvetSweatshop” to infect machines with LimeRAT. The technique of setting an Excel file to “read-only” using the default password to encrypt an Excel file was frequently used to disguise malicious files between 2012 and 2015 but had not been observed recently until this campaign. Using the default password allows an encrypted file to be opened automatically, without the recipient having to type in a password. LimeRAT is a Remote Access Trojan (RAT) that is designed to exploit Windows machines. LimeRAT is capable of installing backdoors, encrypting files, adding infected machines to botnets, stealing data, and installing crypto-miners. The RAT is also able to spread through connected USB drives, and uninstall itself when it detects a virtual machine.
By utilizing read-only files attackers are able to defend their maldocs against discovery since their files are encrypted. With the files only being read-only they also avoid the suspicion that comes with sending a locked file and password in phishing emails. Training users to scrutinize all unexpected email attachments, and not just those which require a password is an important first step. It is important to use Endpoint Detection and Response (EDR) tools to monitor workstations and servers for unexpected outbound network connections from Microsoft Office software or scripts launched from Office software, as they are a potential indicator of communication with command and control systems. More information on this incident can be found at https://www.mimecast.com/blog/2020/03/velvetsweatshop-microsoft-excel-spreadsheet-encryption-rises-again-to-deliver-limerat-malware/