Mimecast experts discovered the activity of the LimeRAT malware, which can install backdoors on infected machines, encrypt files in the same way as regular ransomware does, add computers to botnets, and install cryptocurrency miners on them.
In addition, this modular trojan is able to spread through connected USB-drives, delete itself when a virtual machine is detected, lock the screen and steal various data, which are then transferred to the attackers control server.
But the researchers noted that the most interesting in this campaign was the way LimeRAT was distributed. The malware is spread by phishing emails with attached Excel documents that are read-only but not blocked.
Attackers remembered the old vulnerability in such files. The fact is that in 2013 it became known that when setting the VelvetSweatshop password, Excel files are encrypted, but then they open in Excel without entering a password. And this is ideal for attackers, since Excel by default verifies the VelvetSweatshop password on all encrypted files.
Let me remind you that even then it was assumed that this password was introduced by Microsoft programmers as a joke, and they did not assume that they would find it. The phrase “velvet sweatshop” literally translates as “velvet / soft sweatshop production”. It can be assumed that this password characterizes the working conditions at Microsoft.
Now about “VelvetSweatshop” the authors of LimeRAT remembered. As a rule, if decryption with the default password fails, then the user is asked to enter the password for the file. However, read-only mode allows you to circumvent this limitation, thereby reducing the number of steps required to compromise a computer.
“For cybercriminals, the advantage of the read-only mode in Excel is that it does not require user input, and Microsoft Office will not generate any warning dialogs except that the file will be read-only,” they explain researchers.
It is worth noting that previously the company's experts Sophos celebratedthat this vulnerability continues to be exploited even after many years and is a really interesting case.