Lime RAT

Lime RAT Description

LimeRAT is a simple Remote Access Trojan that nonetheless delivers a vast set of nefarious functionalities to threat actors. The threat is designed to infect Windows systems and has a modular composition that can be adjusted to act according to the hackers' needs. It can establish a backdoor on the compromised machine and execute arbitrary commands. If instructed, LimeRAT can deploy crypto-miner payloads or initiate an encryption routine that will lock the targeted file types in a manner similar to ransomware threats. Furthermore, all successfully infiltrated systems can be added to botnets. 

If this wasn’t enough, LimeRAT also can act as a screen locker or a data collector that harvests private data and files and exfiltrates them to its Command-and-Control (C2, C&C) server. All uploaded information will first be encrypted using the AES cryptographic algorithm. The malware threat also can detect USB drives connected to the infected system and use them to further spread itself. 

LimeRAT has multiple detection-avoidance and anti-virtualization techniques at its disposal. It can scan for signs of being run in a virtual machine (VM) and uninstall itself if needed. 

Infection via an Old Excel Encryption Technique

LimeRAT is being spread as read-only Excel documents in a recently detected attack campaign. The Trojanized docs are attached to phishing emails aimed at the selected target group. The decision to use read-only documents and not locked ones is deliberate. Read-only files do not require a password to be opened and also can be employed in an old Excel exploitation technique. When such a file is executed, Excel will try to decrypt it with an embedded, default password - 'VelvetSweatshop,' while also enabling onboard macros and allowing the corrupted payload to initiate its attack chain. The use of this technique dates back to 2013 and the exploit has been assigned the CVE-2012-0158 designation. Although the issue has been addressed a long time ago, it seems that cybercriminals are once again returning to it in an attempt to infect new victims.