Researchers from Mimecast have recently observed a campaign where threat actors are using a somewhat rarely seen but easy method to distribute malware using Microsoft Excel's standard file encryption capabilities.
The tactic essentially involves a threat actor hiding malicious code in an Excel file, making the file read-only and then spreading it via phishing email. The attack takes advantage of a default password, "VelvetSweatshop," that is embedded in Excel and can be used to encrypt and decrypt Excel files, Mimecast said in a report Wednesday.
Users who want to encrypt an Excel file before sending it via email have to lock it with a password. The password acts as both the encryption key and a decryption key. To unencrypt a locked Excel file, the recipient has to enter the same password that was used to lock it. Threat actors have for some time taken advantage of how the encryption and decryption process in Excel works to distribute malware, Mimecast said.
The typical modus operandi has been to hide malware in an Excel file, encrypt the file using a password, and then distribute the malware via phishing emails with the password included in the content. Users who are tricked into opening the encrypted Excel file with the provided password end up downloading malware on their systems.
In the latest campaign, threat actors are using Excel to distribute LimeRAT, a well-known Trojan that can be used to download additional malware on compromised systems. But instead of encrypting the malware-laden Excel files, the malware authors are making them "read-only," says Matthew Gardiner, director of enterprise security ..
Support the originator by clicking the read the rest link below.
