Spammers Use iqy Files to Send Distant Access Trojan

June 13, 2018


Macros have long been preferred by cybercriminals as a way of fixing malware. The macros begin VB, JavaScript and PowerShell scripts that download malware. Because of possible danger, safety teams often inactivate macros or at least form endpoints to require commands to be manually allowed by end users. The danger of running commands is also typically covered in safety consciousness programs. It is now tougher for cybercriminals to fix malware using this method.

At least one cybercriminal group is now taking a different tactic to get malware fixed. Several campaigns have been recognized that use Excel Query Files – extension .iqy – to fix malware. The campaigns are being used to fix a distant access Trojan – FlawedAmmyy – that offers the attackers root access on an infected appliance and complete charge of an infected computer. Spam messages having the malevolent Excel Query files are being supplied through the Necurs botnet in high volume.

The campaigns, described in a fresh report from Barkly, involve electronic mails with subject lines connected to unpaid invoices and internal telecommunications like scanned documents – Usual electronic mail types used to spread malware through malevolent attachments.

As this file type has not been widely used in the past to send malware, the danger is unlikely to have been covered in safety consciousness teaching sessions.

If Microsoft Office is designed to obstruct external content, alerts will be shown. An end user who tries to open a .iqy file will be presented with a notice from Microsoft concerning the danger of running these files. If the first notice is disregarded, a second notice will be presented. End users will have to accept the dangers on two occasions for the malevolent file to run.

Excel Query Files let external content to be introduced into Excel. Running the file will pull in subject matter from a listed source and include the information in a spreadsheet. Nevertheless, besides adding subject matter, the files can start programs – genuine programs like notepad.exe or in this case, PowerShell commands.

As these file types have hardly – if ever – been used to connect malware, most AV solutions will not scan the files. As a result, these spam messages are habitually sent to end users’ inboxes. The files are extremely simple, easy to make, however they can easily begin a series of events that will lead to the downloading of malware.

When the RAT has been connected, the attackers have complete access to saved data and can download malevolent software of their picking onto an infected appliance.

End users with a spam filtering solution in place must organize the software to obstruct or isolate .iqy files. Safety teams must also consider sending a notice to end users concerning these campaigns and the risk of opening .iqy files.

If a company uses this file types, and obstructing them is not a choice, Windows should be directed to open the files in Notepad to let them be checked before they are run.