Author Archives: laurenklass

Encrypted VelvetSweatshop Password Still a Threat to Excel Files

Office documents, such as Word and Excel files, can be password-protected using a symmetric key encryption mechanism involving one password which is the key to both encrypt and decrypt a file. Malware writers use this key as an additional evasion technique to hide malicious code from anti-virus (AV) scanning engines. The problem is that encrypting a file introduces the disadvantage of requiring a potential victim to enter a password (which is normally included in the phishing or spam email containing the encrypted attachment). This makes the email and the attachment very suspicious, thus greatly reducing the chance that the intended victim will open the encrypted malicious attachment.

The good news (for the attackers) is that Microsoft Excel can automatically decrypt a given encrypted spreadsheet without asking for a password if the password for encryption happens to be VelvetSweatshop. This is a default key stored in Microsoft Excel program code for decryption. It’s a neat trick that attackers can leverage to encrypt malicious Excel files in order to evade static-analysis-based detection systems, while eliminating the need for a potential victim to enter a password.

The embedded VelvetSweatshop key in Excel is not a secret. It has been widely reported for many Continue reading

Threat Intelligence Report: Targeted Snake Ransomware

In the last few weeks, VMware NSX threat telemetry revealed the submission of a Windows executable Ransomware sample, written in Go, which is related to the Snake Ransomware family.

This ransomware specifically targeted the Honda network, and was found to be quite sophisticated. The ransomware appears primarily to be targeting servers, as it has logic to check for the type of host it is infecting, and it attempts to stop many server-specific services/processes. Hard-coded strings are encrypted, source code is obfuscated, and the ransomware attempts to stop anti-virus, endpoint security, and server log monitoring and correlation components. This ransomware family has ties to Iran and has historically been observed targeting critical infrastructure such as SCADA and ICS systems. More recently, the malware has been observed targeting healthcare organizations. Most interestingly, and unlike other variants, the malware analyzed in this threat report does not drop any ransom note to desktop machines.

To learn more, read our Targeted Snake Ransomware Report.

The post Threat Intelligence Report: Targeted Snake Ransomware appeared first on Network and Security Virtualization.

COVID-19 Cyberthreat and Malware Updates

It has been over three months since our last report on COVID-19themed attacks [1]. During this period, the tragedy of the COVID-19 pandemic has continued to dominate our daily livesfe. On the digital virus sidesSince our lastthat report [1] we have been closely tracking the cyberthreat landscape that leveraging leverages the COVID-19 themes. In the last report, we discovered that the majority of the attacks were involved infostealersThe oIn observations made from over the past two months witnessed similar infostealers1 as reported in [ again played a key role1]HoweverIn the meanwhile, we also detected other threats not that we hadn’t seen earlier, such as the Emotet campaign and remote access Trojan (RAT) attacks.  

In this blog post, we first present the our most recent telemetry data, as reported by some VMware customers,, in order to exhibit highlight the diversity and magnitude of the attacks. Next, we investigate the Emotet campaign, as it is the most dominant wave seen in this period. More specifically, we analyze one of the samples from the campaign to reveal the tactics, techniques, and procedures (TTPs) used in the attack, and discuss how the Emotet payload variant is different from the one we reported recently [2].2 

The post COVID-19 Cyberthreat and Malware Updates appeared first on Network and Security Virtualization.

Virtual Patching with VMware NSX Distributed IDS/IPS

Patching: The Perennial Problem  

Cybersecurity consumes an ever-increasing amount of our time and budgets, yet gaps remain and are inevitably exploited by bad actors. One of the biggest gaps is unpatched vulnerabilities: a recent survey found that 60% of cyberattacks in 2019 were associated with vulnerabilities for which patches were availablei.   

Most companies have a patch schedule that is barely able to keep up with applying the most important patches to the most critical vulnerabilities. Yet new ones crop up all the time: approximately 15,000 new vulnerability are discovered every year, which translates to one every 30 minutes ii. They impact all types of workloads, from multiple vendors, as well as open source projects.  

It’s a constant race to try to find and fix the most dangerous vulnerabilities before the bad actors can exploit them. But ignoring them is not an option.  

The Simplest Approach is Not So Simple  

Why not just patch everything or fix flaws in the code? Because it’s operationally challenging – and almost impossible 

First, patching is an expensive and largely manual process. Second, applications may rely Continue reading