LimeRAT Malware Uses Old Password for XLS Files by Default

LimeRAT uses XLS password
Written by Emma Davis

Mimecast experts discovered the activity of the malware LimeRAT, which uses the old password for XLS files, and can also install backdoors on infected machines, encrypt files in the same way as ordinary ransomware, add computers to botnets, and install cryptocurrency miners on them.

In addition, this modular trojan is able to spread through connected USB-drives, delete itself when a virtual machine is detected, lock the screen and steal various data, which are then transferred to the attackers control server – the survival skills of this malware resemble the properties of Xiny Trojan, which runs on Android.

The most interesting in this campaign was the way LimeRAT was distributed. The malware is spread by phishing emails with attached Excel documents that are read-only but not blocked”, – say Mimecast researchers.

Attackers remembered the old vulnerability in such files. The fact is that in 2013 it became known that when setting the VelvetSweatshop password, Excel files are encrypted, but then they open in Excel without entering a password. This is ideal for attackers, since Excel by default verifies the VelvetSweatshop password on all encrypted files.

Let me remind you that even then it was assumed that this password was introduced by Microsoft programmers as a joke, and they did not assume that they would find it. It can be assumed that this password characterizes the working conditions at Microsoft.

Now about “VelvetSweatshop” remembered the authors of LimeRAT. As a rule, if decryption with the default password fails, then the user is asked to enter the password for the file. However, read-only mode allows bypassing this limitation, thereby reducing the number of steps required to compromise a computer.

For cybercriminals, the advantage of the read-only mode in Excel is that it does not require user input, and Microsoft Office will not generate any warning dialogs except that the file will be read-only”, — they explain researchers.

It is worth noting that earlier, Sophos experts found that this vulnerability continues to be used even after many years and is a really interesting case.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)


About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply