LTS Secure Warning: New Attack campaign makes use of VelvetSweatShop Technique To Deliver LimeRAT Malware

Security researchers have identified a new attack campaign, which makes use of the VelvetSweatShop encryption technique in Excel to spread LimeRAT Malware. Threat actors behind the campaign turned to VelevtSweatShop to improve the effectiveness of their efforts.

Technical Details

The RAT is hidden as a payload in read-only excel spreadsheet & then delivered via phishing emails. When the victim open’s the file, excel will make use of the embedded, default password “VelvetSweatShop”.

If successful, this will decrypt the excel file & allow the malicious payload and on boarded macros to launch. However, if the decryption fails, then the user is required to submit a password. But, this step gets bypassed due to the read-only mode, thus reducing the number of steps required to compromise the machine.

Impact

• Collects user & system information.
• Take screenshots of desktop.
• Steal sensitive/confidential information like login credentials of banking sites, cookies, etc.
• Upload & executing payloads on the infected machines (Ransomware, Cryptominers, worms, etc.).

Recommended Actions

• Always update your anti-virus software with the latest releases.
• Periodically run “full system scan” on your endpoints.
• Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
• Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
• Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.