Cybercriminals are updating their tactics when it comes to using malicious attached Microsoft Word and Excel documents to not only fool the human recipients, but a device’s security software.
An increase in the number of Excel spreadsheets being used to deliver the LimeRAT remote access trojan using the VelvetSweatshop default password has been tracked by Mimecast. At the same time Securonix has spotted ransomware being spread using weaponized COVID-19/coronavirus-related documents and emails with the intention of disrupting critical healthcare and other businesses’ operations.
Combining LimeRAT with VelvetSweatshop is a particularly unwelcome and powerful technique as it enables the malicious document to appear legitimate to the receiving system by using encryption, Mimecast reported The threat actors are taking advantage of an existing Excel security measure that enables a spreadsheet to be password protected, essentially encrypted, requiring the recipient have the password.
This threat was uncovered by Mimecast Threat Center’s Doron Attias and Tal Dery.
Unfortunately, there is a flaw in the Excel system that can bypass the need for a password to be input that can let a malicious document slip in. Upon being opened the document first checks to see if the embedded default password VelvetSweatshop is still in use. If so, it uses that key to open the malicious document and download the malware.
However, even if the user has swapped in a new password the attacker has the option of opening a new window asking the recipient to enter their password. If the person is fooled and does so LimeRAT is injected. Once on board LimeRAT allows the attacker to deliver ransomware, a cryptominer, a keylogger, or create a bot client.
Securonix spotted the COVID-19 ransomware attacks while monitoring new threats being used against employees who now find themselves working from home.
The ransomware being used against healthcare facilities and critical business operations uses a socially engineered phishing attack that presents itself as a COVID-19 situation report. The document, in fact, carries a new variant of SNSLocker and upon being opened immediately begins encrypting files and demanding a .35 bitcoin ransom payment.
Another version of the attack is also spread via a particularly egregious phishing email, this time containing a note telling the person they have the Coronavirus. The email states it is from a specific hospital and may say where it is believed the person was infected.
This variant replaces SNSLocker with one of several info stealers that are capable of finding and removing web browser cookies, enumerate system information and shares, stealing cryptocurrency wallets and then exfiltrating stolen information.
Defending a company from these attacks follows the same basic principles as with any phishing attacks. Employees must be instructed to scrutinize all emails and not download any suspicious documents. Additionally, all systems must be updated and patched for any known vulnerabilities. On the IT side, admins should monitor network traffic for outbound connections to likely command-and-control services, Mimecast said.
Securonix has several additional recommendations:
- Unusual severity event for your VPN server device
- Account authentication from a rare geolocation
- VPN connection from anonymous proxy
- Connection to a rare domain for a peer group followed by an executable download
- Landspeed anomaly
- Emails from typosquatted domain
- Abnormal number of emails sent to a rare external recipient
- Abnormal amount of data sent to a rare external recipient
- Unusual VPN session length
- Unusual amount of data for VPN session compared to peers
- Unusual sensitive data access increase for a user