The Necurs botnet – most notably responsible for distributing Locky – is now pushing weaponized internet or web query (.IQY) file to evade detection and download malware.
If you’re not familiar with .IQY files, these Excel file are used to pull data from the internet into a spreadsheet. They contain an embedded URL, which facilitates Excel pulling the data from the specified webpage.
IBM X-Force Exchange found over 780K instances of spam containing IQY files from May to July 2018 distributed by Necurs. The IQY file is an unusual file type, often allowing it passage past security tools. It’s also a relatively easy file to create – it’s a small text-based file that attackers can craft and modify quickly.
The good news is that Microsoft designed these files to require user intervention, as shown below.
But crafty social engineering scams are being created daily to trick unsuspecting users into clicking “Enable” to allow these files to download malware.
The IQY file is just one of countless methods used by cybercriminals in their quest to fool your employee into participating in an attack. Users need to be trained on this, and other attack methods using Security Awareness Training to ensure they can spot specific attacks like this one, as well as to create a heightened sense of security within the user, causing them to be suspicious of anything that looks out of the ordinary.