8-Year-Old VelvetSweatshop Bug Resurrected in LimeRAT Campaign

An old RAT learns an old trick.

Researchers have discovered a fresh campaign using Excel files to spread LimeRAT malware – making use of the hardcoded, VelvetSweatshop default password for encrypted files.

LimeRAT is a full-featured remote access tool/backdoor that can allow attackers to access an infected system and install a range of malware strains, like ransomware, cryptominers, keyloggers or botnet clients.

In the observed campaign, threat actors are creating read-only Excel files containing a LimeRAT payload. Typically in malspam scenarios involving Excel files, the files are encrypted and the recipient would need to use a password to decrypt the file. That password is usually included by an attacker in the body of a socially engineered email.

The new attack however, uses a different tack—it sends malicious, encrypted Excel files using “read-only” mode, according to Mimecast Threat Center’s Matthew Gardiner.

“This campaign is notable because it shows off how cybercriminals are continuing to build on ‘old’ underlying techniques to deliver exploits, even ones that companies are well aware exist,” Gardiner told Threatpost.

To decrypt any given encrypted Excel file, Excel first tries to use an embedded, default password, “VelvetSweatshop,” to decrypt and open the file and run any onboard macros or other potentially malicious code. At the same time, it keeps the file in read-only mode, the researcher explained, writing in a Tuesday blog post about the research.

If Excel fails to decrypt the file using the “VelvestSweatshop” password, the app will request that the user insert a password. However, in read-only mode, this step is skipped, Gardiner said – and therein lies the new campaign’s threat.

“The Microsoft Office system will not generate any warning dialogs other than noting the file is read-only,” he wrote in the post. “Using this read-only technique, the attacker can reap the obfuscation benefits of file encryption without requiring anything further from the user, taking away one step required of the intended victim for exploitation to occur.”

This makes it even easier for unsuspecting victims to open them and spread malware.

“This new research demonstrates that making an Excel file read-only — as opposed to locking it — encrypts the file without the need for an external created password to open it, making it easier to fool a victim into installing the malware,” wrote Gardiner.

In the current campaign, Mimecast researchers also said that the cybercriminals used “a blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload,” Gardiner added.

The hardcoded password is a well-known issue addressed in 2012 (CVE-2012-0158) that was also presented at Virus Bulletin in 2013. Mimecast said it has notified Microsoft that the vulnerability is once again being used.

“The VelvetSweatshop technique has developed continuously to be leveraged as an underlying capability for attacks that can be more targeted and more sophisticated, thus making spear-phishing more successful,” Gardiner told Threatpost “There does not appear to be a change or fix from Microsoft in the works. In that case, in order to improve defenses against this method, organizations must use more sophisticated anti-malware technology to monitor traffic and train users to be more cyber-aware.”

Microsoft Office applications like Excel files are a popular means for malware delivery due to their widespread use and recognizability, according to Mimecast. “Certainly, few are ever surprised to receive invoices or financial spreadsheet attachments via email,” Gardiner wrote.

It’s unlikely that LimeRAT will be the only payload distributed using this tactic: “Of course, given the general capability inherent with this Excel-based malware delivery technique, any type of malware is a good candidate for delivery, so Mimecast researchers expect to see it used in many more malicious phishing campaigns in the future,” Gardiner observed.

To avoid being the victim of such an attack, Mimecast recommended close scrutiny of all emails with files attached, as well as, on an administrative level, monitoring network traffic for outbound connections to likely command-and-control (C2) services. Also, continuously updating endpoint security systems to bolster detection of malware loading or running on the host also can mitigate attacks, Mimecast said.

The danger is of course exacerbated by the work-from-home (WFH) phenomenon that’s emerged in the wake of the COVID-19 pandemic.

“What’s old is new again, as is the case with this latest campaign leveraging the LimeRAT trojan embedded within Excel files,” Tal Zamir, CTO and co-founder at Hysolate, said in an emailed comment. “The challenge, however, is that many of us are now working from home; our guard may be down, we may be juggling everything from our jobs to teaching our kids from home, and trying to stay in touch with friends and family during these challenging times. Given this, it’s highly likely that we’re managing the majority of these communications – email, file sharing, web conferencing, etc. — all from the same laptop — which is no longer sitting behind our corporate firewalls, IDS/IPS, or other protections that would normally be in place when working from our corporate offices.”


Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles