Sunday, February 21, 19:16
Home security LimeRAT Trojan: It is spread by Excel file encryption technique

LimeRAT Trojan: It is spread by Excel file encryption technique

A new campaign is spreading the LimeRAT Remote Access Trojan using an old Excel file encryption technique. LimeRAT is a simple Trojan designed for computers Windows. This malware can install backdoors on infected computers and encrypt files in exactly the same way as other types ransomware, add computers to botnets and install miners cryptocurrencies. In addition, the LimeRAT Trojan can spread through connected drives USB, uninstall if a virtual machine (VM) is detected, "lock" screens and steal data that is then sent to a command and control server (C2) via AES (Advanced Encryption Standard) encryption. In a new campaign discovered by Mimecast, the Trojan appears as payload in Excel documents and spread through Phishing messages. Researchers said in a related blog post on the company that Excel documents are read-only - not locked - as Excel encrypts them without requiring users to enter a password.

To decrypt the file, when opened, Excel will try to use a built-in password, "VelvetSweatshop", which was previously used by developers of Microsoft. If this succeeds, Excel decrypts the file and allows macros to be started and malicious payload injected, while keeping the document read-only.

Usually, if decryption through VelvetSweatshop fails, then users must set a password. However, the feature that allows only reading a file bypasses this step, thereby reducing the steps required to access a Windows computer. According to the researchers, the advantage of having a hacker feature that only allows reading in Excel files is that it requires no user input, and the Microsoft Office system will display no warning but only a warning that says file is read-only.

The new campaign created for the dissemination of LimeRAT uses this technique, which first appeared in 2013 and was presented at a conference of Virus Bulletin. In addition, there is a vulnerability identified as CVE-2012-0158, which is exploited by hackers. It is worth noting that this issue has been presented a long time ago. However, Sophos notes that hackers are still exploiting this vulnerability in a case that is considered "remarkable". Mimecast reports that hackers are also using a host of other techniques in an attempt to trick users' systems into encrypting spreadsheet content to hide exploitation and payload. Finally, Microsoft has been informed that this vulnerability is being used again.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


How to add special effects to Instagram messages

Did you know that you can make instant Instagram messages more impressive? Like any other Instagram feature, you can add special ...

Only 270 addresses are responsible for 55% of all money laundering

Cybercriminals who keep their money in cryptocurrencies tend to "launder" money through a small set of online services, according to ...

Twitter: Voice messages are coming! How do we send them?

Twitter will soon support voice messages in both iOS and Android applications. This means that you will be able to send ...

How to connect a Bluetooth headset to a Nintendo Switch

The Nintendo Switch has a headphone jack. However, most headphones have become wireless so you will need a way to connect them ...

How to hide your phone number in Telegram

If you wish to create a Telegram account, you must provide your telephone number. In this way, Telegram validates the ...

Google Assistant: How can you delete your recordings?

Google Assistant can make your daily life much easier. However, it also involves some privacy issues, as ...

Microsoft: Office 2021 / Office LTSC coming in the second half of 2021

Microsoft announced that the Microsoft Office Long Term Service Channel (LTSC) and Office 2021 will be released in 2021, for ...

How to quickly create QR codes with Bing

If you ever need to create a QR code, but you do not know how, Microsoft has an easy-to-use tool available in any program ...

Brave: Onion addresses leaked to DNS traffic

The Tor function included in the Brave web browser, allows users to access .onion dark web domains within ...

What are the 6 most known attacks on gaming companies?

A few days ago, the gaming company Big Huge Games informed the players that it was the victim of an attack, which affected its data ...