Last week, researchers at Mimecast posted an article that detailed an increase in the LimeRAT malware hidden in Excel spreadsheets. If you’ve followed our quarterly security reports, you’ll remember we have also found an increase in the use of Excel spreadsheets to release malware. Find out more about this increase of malware in Excel in our latest report.
Mimecast’s researchers found attackers were using a unique take on password-protected Excel spreadsheets to hide malicious code. When an attacker adds a password to a file, Excel encrypts the file’s contents, making it easier for it to evade detection. Normally, the attacker would need to use social engineering to convince the victim into entering the password to unlock the file and execute the malicious macros. Mimecast found though that if you set the file to “readonly” and then use the default password “VelvetSweatshop”, Excel will automatically unlock the file when the use enables document editing. This is because when Excel opens a locked file, it tries to unlock it using the default password and only prompts the user for a password if that fails.
Using this technique, hackers found a way around basic network-based antivirus. Encryption hides the malicious code inside of a file from anti-malware engines. This normally wouldn’t cause such a problem since the user needs to input a password to unlock the file, but with a default password that Microsoft Excel automatically attempts, no user interaction is needed. This results in malware that can evade many anti-malware engines. We did test our APT blocker (Advanced Persistent Threat) and found it will decrypt, find the malware, and block these files. However it can’t block files using a non-default password.
If you don’t have APT blocker then many network-based anti-malware engines can block all encrypted files. Most organizations don’t normally block these files because then they can’t send legitimate encrypted documents to protect the contents from unauthorized access. Instead of outright blocking encrypted documents, we recommend having a layered defense with endpoint protection including anti-malware on your computer. We see this issue with password protected files as a problem that only a layered defense can solve. Having the protection provided by both the network and the software on the computer is a strong mitigation to this threat. An endpoint protection will identify the file, once unencrypted, to determine if it’s malicious or not.
Use a layered defense for the best protection against malware. Also, lookout for these files. Don’t open Microsoft Office files from unknown sources and if you receive an unknown file that requires a password input you should never try opening it.