A malicious spam campaign, distributed by the Necurs botnet, is using a new attachment type that is doing a good job in bypassing your and mail filters. 

The attachments are Excel Web Query files and have a .IQY extensiion. When opened they will attempt to pull data from external sources. 

The problem is that the external data being imported by the spreadsheet can also be a formula that will be executed by Excel. These formulas can then be used to locally launch PowerShell scripts which download and install malware onto the computer.

spam-2  - spam 2 - New Phishing Campaign Uses IQY Attachments to Bypass Antivirus And Installs RATs

As per a report by Barkly, there have been at least three spam campaigns utilizing IQY attachments. One was discovered on May 25th by MyOnlineSecurity where he reported how well they were bypassing AV filters. A second campaign was discovered by security researcher Magni R. Sigurdsson, and a third campaign was discovered again by MyOnlineSecurity.

The spam emails pretend to be purchase orders, scanned , or unpaid invoices that contain IQY attachments.

When the IQY files are opened they connect to a remote site that executes PowerShell commands that ultimately download and install a preconfigured version of AMMYY Admin. AMMYY Admin is a legitimate remote administration tool that is being utilized by the attackers to gain remote access to a victim’s computer.

IQY files are easy to make

IQY files are simply files that contain a few lines of consisting of the source type, the source location, various parameters to be used during the query, refresh intervals, etc. The problem is that the data returned from the external source can also contain Excel formulas that launch applications on the computer.

Excel offers many warnings. Don’t ignore them!


excel-security-warning  - excel security warning - New Phishing Campaign Uses IQY Attachments to Bypass Antivirus And Installs RATs


The good news is that Excel provides plenty of warnings when a user opens a IQY file that “should” indicate that something is not right. Unfortunately, people tend to ignore warnings and thus get infected. This is why it is important to understand what you would see when you open a malicious IQY document and to not just click on the Enable and Yes buttons.

When an IQY file is first opened the user will be presented with a “ Excel Security Notice” that the user that an external data connection is being made.

This is the first warning that something is not right and users should click on the “Disable” button so that the connection is not made. Therefore, be smart. Do not allow Excel to start other applications or create external connections or you will regret it. More technical detail at Bleepingcomputer.


Source link
Based Blockchain Network


Please enter your comment!
Please enter your name here