Microsoft Excel’s standard file encryption capabilities can be used to obfuscate and deliver malware.
Mimecast Threat Center researchers have found out a rise in the Lime RAT malware delivery using Microsoft Excel spreadsheet’s Velvet default password. This new research shows that making an Excel file read-only - as opposed to locking it - encrypts the file without the need for an external created password to open it, making it simpler to fool a victim into installing the malware.
How Velvet Sweatshop Paved the Way for Malware Delivery
Microsoft Office® files are some of the most familiar file formats for the delivery of email-borne malware. The Microsoft Office applications that can open and run these files are widely deployed, the files are easy to change to avert simple file signature-based detection, are macro-enabled to create running custom code easy, and are often distributed by clients and businesspeople through email. Certainly, few are ever surprised to receive invoices or financial spreadsheet attachments through email.
However, ease of use and broad deployment has drawbacks. This popularity means that exploiting Excel files has been a part of cybercriminals’ standard attack arsenal for a long time, and receiving password-protected Excel files is also a standard business practice, given the interesting or sensitive content.
Excel files are made to be effortlessly encrypted beforehand to being emailed, which assists attackers evade detection by common malware detection systems. When you lock an Excel file with a password, you are encrypting the whole file using the password as the encryption/decryption key. To open the file, the intended victim would need the same password. When a victim gets an encrypted attachment in a social engineered email, the victim is motivated to use the password included in the phishing email to open the attached file. Just like that, the victim spawned.
But what if attackers could deliver a malicious, encrypted Excel file without wanting the intended victim to do anything other than open the attached file? Skip the part of needing to encourage them to insert the password – slipping via all network defences. Just a simple double-click of the file may do the trick.
To decrypt a given encrypted Excel file, Excel first tries to use the embedded, default password, “Velvet Sweatshop,” to decrypt and open the file and run any onboard macros or other potentially malicious code, while keeping the file read-only. If it fails to decrypt the file using the “Velvet Sweatshop” password, Excel will request that the user insert a password. The benefit of the read-only mode for Excel to the attacker is that it requires no user input, and the Microsoft Office system will not create any warning dialogs other than noting the file is read-only. Using this read-only technique, the attacker can reap the obfuscation benefits of file encryption without needing anything further from the user, taking away one step required of the intended victim for exploitation to take place.
LimeRATMalware Exploited in the Wild
Currently, Mimecast threat intelligence researchers came across a campaign which used this Excel Velvet Sweatshop encryption technique to deliver Lime RAT, a malicious remote access trojan. In this specific attack, the cybercriminals also used a blend of other techniques in a strive to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload. Once Lime RAT has landed, the attacker has many skills at his or her fingertips, which includes delivering ransomware, a cryptominer, a keylogger, or creating a bot client.
Of course, given the general capability inherent with this Excel-based malware delivery technique, any type of malware is a good candidate for delivery, so Mimecast researchers predict to see it used in many more malicious phishing campaigns in the future. Mimecast Threat Center has alerted Microsoft to this campaign.
How to Defend Your Organization Against Payload Malware
Owing to the familiarity and ease of use of Microsoft Excel spreadsheet, the Velvet Sweatshop technique that has risen again to deliver Lime RAT malware will likely prove to be particularly dangerous. Follow these steps to mitigate your risk.
• Train your users to scrutinize all received emails, specifically those with file attachments. While this attack technique reduced the need for user involvement, it did not eliminate it altogether, as receivers were still required to open the file.
• Use an email security system with advanced malware protection capabilities that are designed to include both static file analysis as well as sandboxing to filter out these malicious emails before delivery.
• Monitor your network traffic for outbound connections to likely command-and-control services.
• Constantly update your endpoint security system to increase the likelihood of detecting malicious software loading or running on the host.
Reach out to Mimecast for more information or detail on this research.
This Threat Intelligence Research blog is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. Mimecast Services Limited and its affiliates (collectively, “Mimecast”) have carried out reasonable care in the collecting, processing, and reporting of this information but have not independently verified, validated, or audited the data to verify the accuracy or completeness of the data. Mimecast shall not be responsible for any mistakes or omissions contained on this Threat Intelligence Research blog, and reserve the right to make changes anytime without notice. Mention of non-Mimecast products or services is provided for informational purposes only and constitutes neither an endorsement nor a recommendation by Mimecast. All Mimecast and third-party information provided in this Blog is provided on an “as is” basis. MIMECAST DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, WITH REGARD TO ANY INFORMATION (INCLUDING ANY SOFTWARE, PRODUCTS, OR SERVICES) PROVIDED IN THIS BLOG, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some jurisdictions do not allow the exclusion of implied warranties, so the above exclusion may not apply to you. In no event shall Mimecast be liable for any damages whatsoever, and in particular Mimecast shall not be liable for direct, special, indirect, consequential, or incidental damages, or damages for lost profits, loss of revenue or loss of use, cost of replacement goods, loss or damage to data arising out of the use or inability to use any Mimecast website, any Mimecast solution. This includes damages arising from use of or in reliance on the documents or information present on this Blog, even if Mimecast has been advised of the possibility of such damages.
Mimecast is either a registered trademark or trademark of Mimecast Services Limited in the United States and/or other countries. All other trademarks are the property of their respective owners.