Excel vulnerability aids delivery of malware
Microsoft office files have long been used as a means of delivering malware payloads and researchers at Mimecast have discovered a rise in LimeRAT malware delivered using an Excel default password.
Excel files are designed to be easily encrypted, which helps attackers evade detection by common malware detection systems when a file is emailed.
When you lock an Excel file with a password, you are encrypting the entire file using the password as the encryption/decryption key. But there's a catch. To decrypt a given encrypted spreadsheet, Excel first tries to use an embedded, default password, 'VelvetSweatshop,' to decrypt and open the file and run any onboard macros or other potentially malicious code, while keeping the file read-only.
Only if this password doesn't work will the software ask for an input from the user. This is great for an attacker as the file won't generate any warnings other than that the file is read only.
Matthew Gardiner, director of enterprise security campaigns at Mimecast writes on the company's blog, "Microsoft Office files are some of the most popular file formats for the delivery of email-borne malware. The Microsoft Office applications that can open and run these files are broadly deployed, the files are easy to change to avoid simple file signature-based detection, are macro-enabled to make running custom code easy, and are regularly distributed by consumers and business people via email. Certainly, few are ever surprised to receive invoices or financial spreadsheet attachments via email."
In the latest attack the cybercriminals also used a blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload.
Once LimeRAT is on a system, the attacker has many capabilities, including delivering ransomware, a cryptominer, a keylogger, or creating a bot client.
Researchers expect to see this route used in many more malicious phishing campaigns in the future and Mimecast Threat Center has alerted Microsoft to this campaign.
You can find out more about the threat on the Mimecast blog.