Since 2012, the Necurs botnet has been an evolving work horse of a botnet, backing up the Jaff ransomware, Dridex banking Trojan, and Locky ransomware campaigns. Most recently it has been found pushing URL files with misleading icons to trick victims into exposing themselves to the malware of the attacker’s choice. It eludes some spam filters by contacting the command and control server instead of directly downloading the malware.
The researchers at Trend Micro have found that the newest iteration of Necurs spreads spam with Internet Query (IQY) files instead. IQY files are test files that are meant to help in adding external resources to an Excel spreadsheet. Once activated, Windows® will automatically execute any commands in an IQY file in Excel. This in turn results in a domino effect which leverages the Dynamic Data Exchange capabilities of Excel, which allows a file-less execution of a PowerShell script, which finally downloads a remote access application.
Figure 1: Infection chain starting with the IQY file
The final payload is known as FlawwedAMMY named after the Ammy Admin remote administration software from which it is derived. FlawwedAMMY can take control of the infected computer using commands such as: File Manager, View Screen, Remote Control, Audio Chat, RDP SessionsService, Disable Desktop Composition, Disable Visual effects, Show Tooltip, or Activate Mouse Cursor Blinking.
The only indication that the IQY file might be malicious is the existence of a URL which makes detection at that stage difficult. But using Dynamic Data Exchange has been a known attack vector by Microsoft so there are two separate warnings that occur before the attack can proceed.
Sources: https://securityaffairs.co/wordpress/73916/malware/necurs-iqfattachments.html https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-anew-challenge-using-internet-query-file/ https://www.securityweek.com/necurs-campaign-uses-internet-query-fileattachments