22

JUNE, 2018

Excel
PowerShell
Malicious

Threat actors behind the “Necurs” botnet have created a new spam email campaign using Excel Web Query (.iqy) files to bypass antivirus software, and trick users into downloading and running malicious scripts.

Excel Web Query (.iqy) files are simple text-based files that open by default and are used to download data from a remote source directly into Excel. The .iqy files used in these campaigns download a PowerShell script, which is launched via Excel and kicks off a chain of malicious downloads.

The campaign can bypass antivirus software due to not containing any malicious content and can be used to install remote access trojans (RAT) called FlawedAmmy. The trojan is built on the leaked source code for the remote desktop software Ammyy Admin. This RAT effectively gives attackers complete access over infected machines, allowing them to steal files and credentials, hijack the computers to send out more spam emails etc.

The emails claim to be unpaid invoice alerts, with the subject line “Unpaid invoice [ID:XXXXXXX]”  which appear as though they’re being sent from someone inside the victims organisation. When these files are opened, the .iqy file launches via Excel (its default program) and attempts to pull data from the URL included inside, which happens to be a PowerShell Script.

Microsoft Office is configured to block external content by default, meaning that when Excel launches users will be presented with a warning prompt. However, even if users choose to ignore warnings these files can download any data from the Internet.

Some victims may also enable the macro to run, and once this is enabled the .iqy file is free to download the PowerShell Script. However, there is another prompt in which the victim must respond to first, but once the victim has approved this, then the attack continues to proceed with series of downloads that launches the FlawedAmmyy RAT.

Recommendations

Educate employees on:

  1. The risks of opening attachments from unknown senders.
  2. Identifying the difference between a phishing email and an email from a trusted source.

Keep Up To Date

Join our mailing list to receive the latest news and updates from Secrutiny.

GET IN TOUCH…

Secrutiny will treat your information with respect, the information you provide on this form will be used to be in touch with you and to provide relevant updates and marketing.