News

Researchers Warn of Malware Threat in Excel Read-Only Files

• By Kurt Mackie
• 04/01/2020

Researchers from Mimecast reported this week that attackers are hiding malicious payloads in Excel files sent by e-mail by using a standard Excel feature.

It turns out that automatic encryption of Excel files happens when they are saved as "read-only" files. These read-only Excel files will decrypt on the receiving end using a built-in Microsoft password called "VelvetSweatshop." End users don't need to know this password, but they do need to click on the attached Excel file for the automatic decryption to occur, according to Matthew Gardiner, Mimecast's cybersecurity strategist.

"Opening the file is enough," he said in an e-mailed comment. "From there, the decryption is automatic (due to built-in Velvetsweatshop password) and the malware is executed locally. In the specific example, we discovered the attacker was using LimeRAT malware, but it could really be any payload."

This obfuscation technique using read-only Excel files was used "recently" by attackers wielding the LimeRAT Trojan dropper, Mimecast explained, which is used to install even more malware or conduct-targeted phishing attacks. The idea is to gain remote access to a system in order to further install "ransomware, a cryptominer, a keylogger or creating a bot client," Mimecast explained.

The Excel read-only technique was used in this scheme to "fool anti-malware systems."

"Many anti-malware engines have difficulty deciphering encrypted files, so getting 'free' encryption as part of a commonly emailed file -- Excel -- makes it very convenient for the attacker," Gardiner explained.

"Mimecast Threat Center has alerted Microsoft to this campaign," the Tuesday post noted. However, when asked if Microsoft were working on a patch for systems, Gardiner suggested that one may not be coming.

"No patch has been issued and we don't believe Microsoft has determined this to be a vulnerability, more a misuse of functionality," Gardiner said. "Our research was focused on Excel," he added.

Mimecast's post offered some tips "to mitigate your risk." In a nutshell, they include:

• Train end users about the risks, particularly with regard to file attachments.
• Use e-mail security solutions with "static file analysis as well as sandboxing."
• Monitor outbound connections to detect possible command-and control efforts by attackers.
• Keep endpoint security software updated.

The researchers stressed that this Excel read-only technique could be used to obscure any malicious payload in e-mail attachments, and is not specific to the LimeRAT malware.

Mimecast is a maker of cloud-based e-mail security solutions for organizations.