Greenland again tells Trump it is not for sale    Saudi, Egyptian FMs discuss over phone situation in Syria and Gaza    Abdullah Kamel unveils plans to launch halal certificate similar to ISO Value of global halal market exceeds $2 trillion    Emir of Madinah launches first phase of Madinah Gate project worth SR600 million    Interior Ministry makes great strides in enhancing national security landscape    MWL Chief meets Pope Francis in Vatican University of Bologna confers on Sheikh Al-Issa Honorary Fellowship in Law    Saudi Arabia starts Gulf Cup 26 campaign with a disappointing loss to Bahrain    Gulf Cup: Hervé Renard calls for Saudi players to show pride    Oman optimistic about Al-Yahyaei's return for crucial Gulf Cup clash with Qatar    Qatar coach Garcia promises surprises as they seek first Gulf Cup 26 win    Do cigarettes belong in a museum    Ukrainian drones hit Russia's oil terminal for second time in a week    Liberal leaders say they have a plan for a new, more effective anti-Trump resistance    Saudi deputy FM meets Sudan's Sovereign Council chief in Port Sudan    Kuwait, India to elevate bilateral relations to strategic partnership Sheikh Mishal awards Mubarak Al-Kabir Medal to Modi    Environment minister inaugurates Yanbu Grain Handling Terminal    Marianne Jean-Baptiste on Oscars buzz for playing 'difficult' woman    PDC collaboration with MEDLOG Saudi to introduce new cold storage facilities in King Abdullah Port Investment of SR300 million to enhance logistics capabilities in Saudi Arabia    My kids saw my pain on set, says Angelina Jolie    Legendary Indian tabla player Zakir Hussain dies at 73    Order vs. Morality: Lessons from New York's 1977 Blackout    India puts blockbuster Pakistani film on hold    The Vikings and the Islamic world    Filipino pilgrim's incredible evolution from an enemy of Islam to its staunch advocate    Exotic Taif Roses Simulation Performed at Taif Rose Festival    Asian shares mixed Tuesday    Weather Forecast for Tuesday    Saudi Tourism Authority Participates in Arabian Travel Market Exhibition in Dubai    Minister of Industry Announces 50 Investment Opportunities Worth over SAR 96 Billion in Machinery, Equipment Sector    HRH Crown Prince Offers Condolences to Crown Prince of Kuwait on Death of Sheikh Fawaz Salman Abdullah Al-Ali Al-Malek Al-Sabah    HRH Crown Prince Congratulates Santiago Peña on Winning Presidential Election in Paraguay    SDAIA Launches 1st Phase of 'Elevate Program' to Train 1,000 Women on Data, AI    41 Saudi Citizens and 171 Others from Brotherly and Friendly Countries Arrive in Saudi Arabia from Sudan    Saudi Arabia Hosts 1st Meeting of Arab Authorities Controlling Medicines    General Directorate of Narcotics Control Foils Attempt to Smuggle over 5 Million Amphetamine Pills    NAVI Javelins Crowned as Champions of Women's Counter-Strike: Global Offensive (CS:GO) Competitions    Saudi Karate Team Wins Four Medals in World Youth League Championship    Third Edition of FIFA Forward Program Kicks off in Riyadh    Evacuated from Sudan, 187 Nationals from Several Countries Arrive in Jeddah    SPA Documents Thajjud Prayer at Prophet's Mosque in Madinah    SFDA Recommends to Test Blood Sugar at Home Two or Three Hours after Meals    SFDA Offers Various Recommendations for Safe Food Frying    SFDA Provides Five Tips for Using Home Blood Pressure Monitor    SFDA: Instant Soup Contains Large Amounts of Salt    Mawani: New shipping service to connect Jubail Commercial Port to 11 global ports    Custodian of the Two Holy Mosques Delivers Speech to Pilgrims, Citizens, Residents and Muslims around the World    Sheikh Al-Issa in Arafah's Sermon: Allaah Blessed You by Making It Easy for You to Carry out This Obligation. Thus, Ensure Following the Guidance of Your Prophet    Custodian of the Two Holy Mosques addresses citizens and all Muslims on the occasion of the Holy month of Ramadan    







Thank you for reporting!
This image will be automatically disabled when it gets reported by several people.



VelvetSweatshop Excel spreadsheet encryption rises again to deliver LimeRAT Malware
Published in The Saudi Gazette on 03 - 04 - 2020

Microsoft Excel's standard file encryption capabilities can be used to obfuscate and deliver malware. Mimecast Threat Center researchers have discovered a rise in the LimeRAT malware delivery using Microsoft Excel spreadsheet's VelvetSweatshop default password. This new research demonstrates that making an Excel file read-only — as opposed to locking it — encrypts the file without the need for an external created password to open it, making it easier to fool a victim into installing the malware.
How VelvetSweatshop Paved the Way for Malware Delivery
Microsoft Office files are some of the most popular file formats for the delivery of email-borne malware. The Microsoft Office applications that can open and run these files are broadly deployed, the files are easy to change to avoid simple file signature-based detection, are macro-enabled to make running custom code easy, and are regularly distributed by consumers and businesspeople via email. Certainly, few are ever surprised to receive invoices or financial spreadsheet attachments via email.
However, ease of use and broad deployment have drawbacks. This popularity means that exploiting Excel files has been a part of cybercriminals' standard attack arsenal for a long time, and receiving password-protected Excel files is also a standard business practice, given the interesting or sensitive content.
Excel files are designed to be easily encrypted prior to being emailed, which helps attackers evade detection by common malware detection systems. When you lock an Excel file with a password, you are encrypting the entire file using the password as the encryption/decryption key. To open the file, the intended victim would need the same password. When a victim receives an encrypted attachment in a social engineered email, the victim is encouraged to use the password included in the phishing email to open the attached file. Just like that, the victim is owned!
But what if attackers could deliver a malicious, encrypted Excel file without requiring the intended victim to do anything other than open the attached file? Skip the part of needing to encourage them to insert the password — slipping through all network defenses. Just a simple double-click of the file would do the trick.
To decrypt a given encrypted Excel file, Excel first tries to use the embedded, default password, "VelvetSweatshop," to decrypt and open the file and run any onboard macros or other potentially malicious code, while keeping the file read-only. If it fails to decrypt the file using the "VelvestSweatshop" password, Excel will request that the user insert a password, as shown in Figure 1 below.
The advantage of the read-only mode for Excel to the attacker is that it requires no user input, and the Microsoft Office system will not generate any warning dialogs other than noting the file is read-only. Using this read-only technique, the attacker can reap the obfuscation benefits of file encryption without requiring anything further from the user, taking away one step required of the intended victim for exploitation to occur.
LimeRAT Malware Exploited in the Wild
Recently, Mimecast threat intelligence researchers came across a campaign, which used this Excel VelvetSweatshop encryption technique to deliver LimeRAT, a malicious remote access trojan. In this specific attack, the cybercriminals also used a blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload.
Once LimeRAT has landed, the attacker has many capabilities at his or her fingertips, including delivering ransomware, a cryptominer, a keylogger, or creating a bot client.
Of course, given the general capability inherent with this Excel-based malware delivery technique, any type of malware is a good candidate for delivery, so Mimecast researchers expect to see it used in many more malicious phishing campaigns in the future. Mimecast Threat Center has alerted Microsoft to this campaign.
How to Defend Your Organization Against Payload Malware
Due to the popularity and ease of use of Microsoft Excel spreadsheet, the VelvetSweatshop technique that has risen again to deliver LimeRAT malware will likely prove to be especially dangerous. Follow these steps to mitigate your risk.
• Train your users to scrutinize all received emails, particularly those with file attachments. While this attack technique reduced the need for user involvement, it did not eliminate it altogether, as receivers were still required to open the file.
• Use an email security system with advanced malware protection capabilities that are designed to include both static file analysis as well as sandboxing to filter out these malicious emails before delivery.
• Monitor your network traffic for outbound connections to likely command-and-control services.
• Continuously update your endpoint security system to increase the likelihood of detecting malicious software loading or running on the host.
Reach out to Mimecast for more information or detail on this research.
— The writer is director of Enterprise Security Campaigns at Mimecast


Clic here to read the story from its source.