Attackers are using a deceptively simple type of file attachment to bypass AV and trick users into downloading and running malicious scripts via Excel.
New spam campaigns are using .iqy file attachments to bypass AVs and infect victims with a remote access trojan.
Excel Web Query (.iqy) files are used to download data from the Internet directly into Excel. They’re extremely simple (just a few lines of text), but also powerful. The .iqy files used in these campaigns download a PowerShell script, which is launched via Excel and kicks off a chain of malicious downloads.
Currently, they are disguised as “Unpaid invoice” alerts, which appear as though they're being sent from someone inside the victim’s organization. Ex: email@example.com.
Currently, a remote access trojan (RAT) called FlawedAmmyy. Built on the leaked source code for the remote desktop software Ammyy Admin, it effectively gives attackers complete access over infected machines.
While researchers have previously written about the potential for .iqy file abuse, this may be the first time it’s been seen in a major spam campaign in the wild. As a result, and because .iqy files have legitimate use cases, they are flying under the radar past most filters and AVs. The ability of these files to open Excel and (if users choose to ignore warnings) download any data from the Internet makes them extremely dangerous.
Get the latest security news, tips, and trends straight to your inbox.