A malicious spam campaign, distributed by the Necurs botnet, is using a new attachment type that is doing a good job in bypassing your antivirus and mail filters.
The attachments are Excel Web Query files and have a .IQY extensiion. When opened they will attempt to pull data from external sources.
The problem is that the external data being imported by the spreadsheet can also be a formula that will be executed by Excel. These formulas can then be used to locally launch PowerShell scripts which download and install malware onto the computer.
As per a report by Barkly, there have been at least three spam campaigns utilizing IQY attachments. One was discovered on May 25th by MyOnlineSecurity where he reported how well they were bypassing AV filters. A second campaign was discovered by security researcher Magni R. Sigurdsson, and a third campaign was discovered again by MyOnlineSecurity.
The spam emails pretend to be purchase orders, scanned documents, or unpaid invoices that contain IQY attachments.
When the IQY files are opened they connect to a remote site that executes PowerShell commands that ultimately download and install a preconfigured version of AMMYY Admin. AMMYY Admin is a legitimate remote administration tool that is being utilized by the attackers to gain remote access to a victim's computer.
IQY files are easy to make
IQY files are simply text files that contain a few lines of text consisting of the source type, the source location, various parameters to be used during the query, refresh intervals, etc. The problem is that the data returned from the external source can also contain Excel formulas that launch applications on the computer.
Excel offers many warnings. Don't ignore them!
The good news is that Excel provides plenty of warnings when a user opens a IQY file that "should" indicate that something is not right. Unfortunately, people tend to ignore warnings and thus get infected. This is why it is important to understand what you would see when you open a malicious IQY document and to not just click on the Enable and Yes buttons.
When an IQY file is first opened the user will be presented with a "Microsoft Excel Security Notice" that warns the user that an external data connection is being made.
This is the first warning that something is not right and users should click on the "Disable" button so that the connection is not made. Therefore, be smart. Do not allow Excel to start other applications or create external connections or you will regret it. More technical detail at Bleepingcomputer.
Free Phishing Security Test
91% of successful data breaches started with a spear phishing attack
Would your employees ignore the warnings and open infected attachments? We help you train your employees to better manage the urgent IT security problems of social engineering, spear phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our free test.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: