Hackers Can Target Your Computer and Spread Malware Through Excel Encryption Technique

By now, most Internet users are savvy about the danger of downloading strange files from suspicious emails that end up in their inbox. This has forced hackers to employ more complex forms of social engineering and obfuscation, as well as more advanced tools to carry out their attacks, although the foundations of what said cybercrooks work from have remained the same for decades. Case in point – the recent LimeRAT infestation that’s spread through Microsoft Excel files.

Yes, most users are aware of and on the lookout for suspicious emails. This is why hackers nowadays make efforts to make their fraudulent messages as legitimate-looking as possible. They often put the names and logos well known and well-respected companies and make an attempt to dupe the user into downloading a malicious file.
This is where the ingenious bit comes in – if the file is too suspicious, the user can notice it and dodge the attempt. Additionally, it said user has a decent anti-malware solution active on their device; it’s going to quarantine or outright delete the offending file before it can do any harm. So, since the payload can’t be downloaded directly, it must go through a layer of obfuscation, both to trick the user and to trick their defenses.

Using Microsoft Excel for this purpose is hardly a new tactic – in fact, it’s been around for more than ten years, with notable cases reported as far back as 2009. What’s interesting is that it’s making a resurgence, with a few notable additions.

The payload that the attackers use is still the tried and true LimeRAT remote access trojan that’s been around for ages and has been used to steal information from and drop additional malware on the machines of users for years now. It is notorious for its ability to spread through connected USB drives, uninstall itself if it detects a virtual machine, lock screens, and steal all sorts of user data, which it then encrypts with an AES encryption sends to a command-and-control server if it can.

However, what’s notable about this latest campaign featuring MS Excel files is that it actually uses read-only .xls files to download the LimeRAT on the user’s PC. Read-only Excel files are encrypted by default, so they can slip through malware detection software undiscovered, but are automatically decrypted by the program that opens the file with a default password. Basically, the file remains obfuscated during download, but once it’s on the PC, it can be used to infect it. Additionally, the user doesn’t need to use a decryption key to unlock it and enable the actual malicious payload to be delivered.
So, what can users do to protect themselves against such ingenious attacks?

Carefully Check the Email’s Sender

This is a sure-fire way to spot malware peddlers. If you receive an email from a suspicious sender, that doesn’t look like they have anything to do with the subject of the email, that’s a dead giveaway that a cybercriminal’s trying to brutalize your machine. While the sender can make the message appear pretty much any way they want, they can do very little to hide the bogus nature of the address from which it was sent.

Don’t Download Unsolicited Files

Never download files received via unsolicited emails.

Look Out for Strange Files

Even if you trust the source of the email and it looks legitimate, ask yourself – does it make sense that this person would send me this type of file? Why would a Facebook or Google employee, for instance, try and send you a .xls file? They probably wouldn’t. If the situation doesn’t make sense upon close examination, it’s probably going to turn out that the reason for that was that you were the target of a malware peddler.

April 24, 2020

Leave a Reply