• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Does Your Network Box Block All Malware

April 6, 2020 By Trevor Collins

LED internet security lock and unlock symbols

 

Last week, researchers at Mimecast posted an article that detailed an increase in the LimeRAT malware hidden in Excel spreadsheets. If you’ve followed our quarterly security reports, you’ll remember we have also found an increase in the use of Excel spreadsheets to release malware. Find out more about this increase of malware in Excel in our latest report.

Mimecast’s researchers found attackers were using a unique take on password-protected Excel spreadsheets to hide malicious code. When an attacker adds a password to a file, Excel encrypts the file’s contents, making it easier for it to evade detection. Normally, the attacker would need to use social engineering to convince the victim into entering the password to unlock the file and execute the malicious macros. Mimecast found though that if you set the file to “readonly” and then use the default password “VelvetSweatshop”, Excel will automatically unlock the file when the use enables document editing. This is because when Excel opens a locked file, it tries to unlock it using the default password and only prompts the user for a password if that fails.

Using this technique, hackers found a way around basic network-based antivirus. Encryption hides the malicious code inside of a file from anti-malware engines. This normally wouldn’t cause such a problem since the user needs to input a password to unlock the file, but with a default password that Microsoft Excel automatically attempts, no user interaction is needed. This results in malware that can evade many anti-malware engines. We did test our APT blocker (Advanced Persistent Threat) and found it will decrypt, find the malware, and block these files. However it can’t block files using a non-default password.

If you don’t have APT blocker then many network-based anti-malware engines can block all encrypted files. Most organizations don’t normally block these files because then they can’t send legitimate encrypted documents to protect the contents from unauthorized access. Instead of outright blocking encrypted documents, we recommend having a layered defense with endpoint protection including anti-malware on your computer. We see this issue with password protected files as a problem that only a layered defense can solve. Having the protection provided by both the network and the software on the computer is a strong mitigation to this threat. An endpoint protection will identify the file, once unencrypted, to determine if it’s malicious or not.

Use a layered defense for the best protection against malware.  Also, lookout for these files. Don’t open Microsoft Office files from unknown sources and if you receive an unknown file that requires a password input you should never try opening it.

Share This:

Related

Filed Under: Editorial Articles, Uncategorized

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • Naming APTs

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use