According to a blog post by Barkly, instead of using Word documents or other commonly abused attachment types, these new spam email campaigns are using .iqy files — these are simple text files that open by default in Excel and are used to download data from the Internet.
This approach can bypass antivirus software and be used to install remote access trojans called FlawedAmmyy and built on the leaked source code for the remote desktop software Ammyy Admin. This RAT gives attackers complete access over infected machines.
Barkly said among the botnets distributing the FlawedAmmyy RAT via .iqy files is Necurs. Researchers said that this was initially identified by @dvk01uk, with the first wave of spam emails utilising .iqy files was sent out on 25 May, this year. A subsequent, smaller wave was detected on 5 June. A third Necurs campaign was spotted on 7 June.
“The emails used in these campaigns really aren't anything to write home about. They're essentially the typical type of spam message we've come to expect. Ex: Emails in the first campaign were sent with a subject line of "Unpaid invoice [ID:XXXXXXX]" and made to look like they're coming from someone within the target organisation,” said researchers.
When these files are opened they attempt to pull data from the URL included inside. Excel then attempts to pull data from that URL, which, in this case, happens to be a PowerShell script.
Fortunately, Microsoft Office is configured to block external content by default, so when Excel launches users will be presented with a warning prompt. But there is always a chance that a victim would enable the macro to run. Once enabled, the .iqy file is free to download the PowerShell script. There is another prompt to respond to by the victim but once the victim allows this, the attack proceeds with series of downloads that ultimately launches the FlawedAmmyy RAT.
James Lyne, head of research and development at SANS Institute, told SC Media UK that layered security with multiple controls, particularly those that work generically and at runtime to deal with new variants are a key step.
“Given the publication of this less than optimal detection we can also expect vendors to rapidly update their policies and products,” he said. “Organisations may wish to tactically block these files by type if they do not have a requirement for them.”
Niall Sheffield, solutions engineer at SentinelOne, told SC Media UK that these attacks are indicative of the attack methods that malicious actors are using to bypass legacy AV solutions. “Find a commonly forgotten filetype that AV won't be able to scan or interact with, exploit them to deliver a memory-based payload and then reap the results,” he said.
"The IQY file extension may be new in spam, but this flavour of cyber-attack isn't new," said Paul Ducklin, senior technologist at Sophos. "Any decent anti-virus will give you protection that doesn't depend on the precise details of how the crooks try to sneak the threat in - whether it comes as a phishy link in an email, in an attachment of whatever type, on a poisoned website, or via a USB drive deliberately left in the car park.”