Security News > 2020 > March > 8-Year-Old VelvetSweatshop Bug Resurrected in LimeRAT Campaign

8-Year-Old VelvetSweatshop Bug Resurrected in LimeRAT Campaign
2020-03-31 17:14

Researchers have discovered a fresh campaign using Excel files to spread LimeRAT malware - making use of the hardcoded, VelvetSweatshop default password for encrypted files.

In the observed campaign, threat actors are creating read-only Excel files containing a LimeRAT payload. Typically in malspam scenarios involving Excel files, the files are encrypted and the recipient would need to use a password to decrypt the file.

To decrypt any given encrypted Excel file, Excel first tries to use an embedded, default password, "VelvetSweatshop," to decrypt and open the file and run any onboard macros or other potentially malicious code.

If Excel fails to decrypt the file using the "VelvestSweatshop" password, the app will request that the user insert a password.

"What's old is new again, as is the case with this latest campaign leveraging the LimeRAT trojan embedded within Excel files," Tal Zamir, CTO and co-founder at Hysolate, said in an emailed comment.


News URL

https://threatpost.com/velvetsweatshop-bug-resurrected-limerat/154310/