LimeRAT malware is being spread through VelvetSweatshop Excel encryption technique>
ZD Net – Charlie Osborne
In a new campaign observed by Mimecast, the Trojan is being hidden as a payload in read-only Excel documents spread via phishing emails. Researchers said in a blog post on Tuesday that the Excel documents are read-only — rather than locked — which encrypts the file without making a user type in a password.Â

To decrypt the file, on open, Excel will attempt to use an embedded, default password, “VelvetSweatshop,” which was implemented years ago by Microsoft programmers. If successful, this decrypts the file and allows onboard macros and the malicious payload to launch, while also keeping the document read-only.
Link: https://www.zdnet.com/article/limerat-malware-is-being-spread-through-velvetsweatshop-excel-encryption-technique/