Necurs botnet found using IQY files to evade detection and drop FlawedAmmyy backdoor

• Necurs uses Internet Query File IQY to evade detection.
• The botnet drops the FlawedAmmyy backdoor.
• Necurs could soon be updated to overtake unpatched/outdated security solutions.

The infamous Necurs botnet has just been updated with new features and is now believed to be delivering a powerful backdoor as part of its latest campaign. Necurs first emerged in 2012 as a rootkit and an infector, but was quickly repurposed by cybercriminals to become the spam king of the underground market.

Now, Necurs is active again and found dropping the FlawedAmmyy backdoor as part of its new campaign. What is more, Necurs have once again be updated to include new security-evading features to make it even harder for researchers to detect and stop attacks.

Over the years, cybercriminals have used Necurs to spread various banking trojans and ransomware including Locky, Dridex, GlobeImposter and more. Security researchers believe that Necurs has already successfully infected millions of endpoints and delivered millions of spam emails on a daily basis.

Evading detection with IQY files

Since Necurs first emerged, cybercriminals have continually updated it with new malicious capabilities and evasion techniques - a trend that hasn’t slowed over the years. Now, the botnet is using the internet query file IQY to evade detection.

IQY files are specifically formatted text files which gives users the ability import data from external sources to the user’s Excel spreadsheet.

According to security researchers at Trend Micro, who discovered Necurs’ new campaign, Windows recognises “IQY files as MS Excel Web Query Files and automatically executes it in Excel” as a default.

“The new wave of spam samples has IQY file attachments. The subject and attachment file contains terms that refer to sales promotions, offers, and discounts, likely to disguise it as the type of information opened in Excel,” Trend Micro researchers wrote in a blog.

FlawedAmmyy’s back again

In its new campaign, Necurs comes with a remote PowerShell script that enables the download of a trojanized remote access application and the final payload - the FlawedAmmyy backdoor. FlawedAmmyy is believed to have been developed from the leaked source code of the remote admin software called Ammyy Admin.

This backdoor comes with several features: it can view the screen of the infected systems, it gains remote control over the system, listen in on audio chats as well as install, stop, start and remove the desktop background and more.

“Adding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of plaintext files, which makes the attached IQY file’s URL the only indication of malware activity,” Trend Micro researchers said. “In addition, its structure is the same as normal Web Queries. Therefore, a security solution that blocks malicious URLs could be used to defend against this threat.”

Fortunately, Trend Micro researchers say that users can stay safe from Necurs by employing strict and safe security protocols. Users have also been warned against downloading and running uncommon attachments from unknown sources.

The new campaign indicates that cybercriminals will likely continue to upgrade Necurs with new features and tools that eventually could allow it to overtake unpatched or outdated security solutions.