Hackers use Excel IQY files to bypass antivirus, deliver FlawedAmmyy RAT
A new spam email campaign has been discovered using a unique approach to bypass antivirus filters and deliver malicious scripts via Excel, researchers said. The notorious Necurs botnet is being used to power the spam campaign using Excel Web Query (.IQY) file attachments to evade detection by antivirus programs.
Unlike other Excel spreadsheets that come in attachments, IQY files are not usually detected and indexed by AV software. They are also comparatively lighter as simple plaintext files.
Derek Knight (@dvk01uk), who spotted the first campaign, tweeted that "These blow past all antiviruses because they have no malicious content."
In a new report published last week, Barkly researchers said the IQY files leveraged in these campaigns download a PowerShell script that is launched via Excel before kickstarting “a chain of malicious downloads.”
“The ability of these files to open Excel and (if users choose to ignore warnings) download any data from the internet makes them extremely dangerous.” Barkly researchers said. In the case of the Necurs spam, the downloaded data is a malicious PowerShell script. As a default setting, Microsoft Office typically blocks external content and presents Excel users with a warning prompt
Users can click “No” to disable the malware from connecting externally to perform malicious activities. However, if the macro is permitted to run, the IQY file attempts to pull pull pull out data from external resources, download the PowerShell script and deliver the remote ultimately delivering the remote access trojan (RAT) known as FlawedAmmyy.
This RAT could give attackers complete access and control of an infected machine, allowing them to harvest credentials and files, hijack the computer to further deliver spam emails and more.
Built from the leaked source code of the remote desktop software Ammyy Admit, the FlawedAmmyy RAT has been spotted in the wild in early 2016. Proofpoint researchers said has been used in two spam email campaigns and seems to be associated with TA505 threat actor.
“The ease in which .IQY files can be created, combined with the ubiquity of Excel, could even put .IQY files roughly on par with macros in terms of potential for abuse,” Barkly researchers said. “The fact that they are being utilized in multiple Necurs campaigns means the genie is completely out of the bottle and more widespread abuse is likely on the way.”