Security Alert
Jonathan Crowe
Jun 2018

IQY Files Used to Evade AV, Download Malware via Excel

iqy-file-attacks UPDATE 6/7/18: A third Necurs campaign has been spotted. Details below.

Attackers are using a deceptively simple type of file attachment to bypass AV and trick users into downloading and running malicious scripts via Excel.

Key Details

  • What's happening?

    New spam campaigns are using .iqy file attachments to bypass AVs and infect victims with a remote access trojan.

  • What are .iqy files?

    Excel Web Query (.iqy) files are used to download data from the Internet directly into Excel. They’re extremely simple (just a few lines of text), but also powerful. The .iqy files used in these campaigns download a PowerShell script, which is launched via Excel and kicks off a chain of malicious downloads.

  • What do the spam emails look like?

    Currently, they are disguised as “Unpaid invoice” alerts, which appear as though they're being sent from someone inside the victim’s organization. Ex: random.name@victimsdomain.com.

  • What is the payload?

    Currently, a remote access trojan (RAT) called FlawedAmmyy. Built on the leaked source code for the remote desktop software Ammyy Admin, it effectively gives attackers complete access over infected machines.

  • What makes this different from other attacks?

    While researchers have previously written about the potential for .iqy file abuse, this may be the first time it’s been seen in a major spam campaign in the wild. As a result, and because .iqy files have legitimate use cases, they are flying under the radar past most filters and AVs. The ability of these files to open Excel and (if users choose to ignore warnings) download any data from the Internet makes them extremely dangerous.

  • How does Barkly protect me from these attacks? Unlike antivirus solutions, Barkly isn't limited to blocking malicious files based on signatures or attributes. It also blocks suspicious system activity and process patterns. In this case, it sees Excel attempting to launch cmd.exe in order to launch powershell.exe, and it blocks that behavior before it can result in payloads being downloaded from the Internet. 
  • empty
  • empty

Barkly blocks malicious attempts to exploit .iqy files
See it in action

IQY files: Attackers have a new trick up their sleeves

Researchers have spotted a fresh series of spam email campaigns taking an interesting new approach to infecting victims. Rather than using Word documents or other commonly abused attachment types, these campaigns are using .iqy files — essentially simple text files that open by default in Excel and are used to download data from the Internet. 

"Basically like having a web browser built into Excel."

What makes .iqy files dangerous is that they pack powerful utility — Excel expert Jon Wittwer describes them as "basically like having a web browser built into Excel" — into an incredibly simple, legitimate file format that doesn't give AVs much to work with. As researcher Derek Knight (@dvk01uk) points out, "These blow past all antiviruses because they have no malicious content."

We can understand exactly how .iqy files are being abused in more detail by taking a closer look at these recent campaigns.

Necurs botnet delivering FlawedAmmyy RAT via .iqy files

Initially identified by @dvk01uk, the first wave of spam emails utilizing .iqy files was sent out on May 25, 2018, and was distributed by Necurs, the largest spam botnet in the world

A subsequent, smaller wave was detected on June 5, 2018.

UPDATE: A third Necurs campaign was spotted on June 7: 

The emails used in these campaigns really aren't anything to write home about. They're essentially the typical type of spam message we've come to expect. Ex: Emails in the first campaign were sent with a subject line of "Unpaid invoice [ID:XXXXXXX]" and made to look like they're coming from someone within the target organization.

iqy-file-attachment-spam-email

"Unpaid invoice" spam email with .iqy attachment. Source: MyOnlineSecurity

The body of the email is blank, but as explained above, the .iqy file attachment is where things get interesting. 

As mentioned, AV scanners are clearly not prepared for .iqy files. The attachment included in the June 5 campaign had zero detections according to VirusTotal. A day later, the total detections has increased to just five. 

When opened, the .iqy file launches via Excel (its default program) and attempts to pull data from the URL included inside. As Jon Wittwer points out in his explanation of Excel Web Query files, in its basic form, an .iqy file is incredibly simplistic.

Opened in Notepad, the .iqy file included in the second wave of spam emails, for example, simply looks like this:

iqy-file-contents

That's it. With that simple instruction, Excel attempts to pull data from that URL, which, in this case, happens to be a PowerShell script. 

iqy-file-powershell-script

Luckily, as long as Microsoft Office is configured to block external content (which it is by default), when Excel launches users will be presented with a warning prompt:

iqy-user-warning-prompt-1Unfortunately, similar prompts haven't stopped users from enabling macros in suspicious documents, and there's little reason to expect it will be a 100% effective deterrent here, either.

Once enabled, the .iqy file is free to download the PowerShell script. Thankfully, before it can run the user has to respond to another prompt:

iqy-user-warning-prompt-2Once that final hurdle is cleared, the attack is off and running with a series of downloads that ultimately launches the FlawedAmmyy RAT.

The PowerShell script downloads a second script file (1.dat):

iqy-attack-2nd-scriptThat script downloads a .xls file, which is actually an .exe file in disguise. The final payload is FlawedAmmyy, a RAT that has an interesting backstory of its own

iqy-cmd-powershell-process-tree

Built from leaked source code of the popular remote desktop software Ammyy Admin, FlawedAmmyy gives attackers many of the capabilities the legitimate tool provides. In other words, it essentially grants attackers complete access to victim machines, allowing them to steal files and credentials, hijack the computers to send out more spam emails, and more. 

High potential for additional (and even more dangerous) attacks

Experts see the danger of .iqy files extending far beyond these specific campaigns. The ease in which .iqy files can be created, combined with the ubiquity of Excel, could even put .iqy files roughly on par with macros in terms of potential for abuse. 

While the dangers of .iqy files aren't entirely undocumented (security researcher Casey Smith pointed out their potential for phishing in 2015), the fact that they are being utilized in multiple Necurs campaigns means the genie is completely out of the bottle and more widespread abuse is likely on the way. 

As Beaumont points out, it's also scary to think about this technique being utilized in a more sophisticated way. He may be referring to smarter spam campaigns, but it also doesn't take an abundance of imagination to think of more damaging and evasive possibilities on the payload delivery side of things, too (Invoke-ReflectivePEInjection, anyone?). Unfortunately, these campaigns feel like the tip of the iceberg. 

Admins are advised to adjust firewall and email filtering to block .iqy files. In addition, unless .iqy files are actively utilized in your organization, it may be wise to take things a step further by instructing Windows to always open .iqy files in Notepad (similar to what some experts advise doing with .js files). That way, you can inspect files before users have a chance to inadvertently launch them (of course, depending on the size of your organization and other constraints this may not be feasible). 

While you're at it, you may want to consider doing the same for .slk files, which have also been abused by attackers in very similar ways.  

Barkly blocks these attempts to abuse .iqy files

iqy-file-malware-downloader

Barkly customers have been protected from these attacks from the get-go thanks to Barkly's ability to observe and block suspicious process patterns. Unlike AVs, which are limited to signature matching and static file analysis, Barkly can step back, see the big picture, and understand that Excel being used to launch cmd.exe and PowerShell in an attempt to download something from the Internet constitutes suspicious activity that is better off blocked. 

In that way, Barkly serves as a crucial safety net, allowing admins to rest easy knowing their machines are protected even if end users get fooled into opening these files and ignoring the prompts. 

Blocking-IQY-attackThe same goes for malicious .slk files

By blocking malicious behavior patterns (not just individual files), Barkly is able to provide more comprehensive protection that isn't reliant on the flawed AV approach. No more "patient zero" victims getting infected, signatures getting created, and protection being updated after-the-fact. Just solid protection from malware and the underlying deployment techniques attackers rely on, blocking even new attack campaigns from day one. 

Want to see Barkly in action for yourself? Sign up to test it out.  

Want to stay up-to-date on this and other threats? Subscribe to the Barkly blog.

IOCs

.iqy file from 5/25/18 campaign:
a0b80b57879ef437709bae7e2896efb7be9bd57291e64bc58d7cd13bd1de9f27

.iqy file from 6/5/18 campaign:
ca0da220f7691059b3174b2de14bd41ddb96bf3f02a2824b2b8c103215c7403c

.iqy file from 6/7/18 campaign:
28d391bf7aa72d59a387bfaba099d9e176ee976959a4f99b8d04dbeef75e76b5

PowerShell scripts:
05660c8d652fb9df8dab6a5705e3e2243b215ad5354000961feaebc07ed89ad9
ebce76b8efff3a0568aa2b07d5fba8f21fe3dd6f56bfad0a77194a494b634079

FlawedAmmyy trojan:
bab69fb29c167451608f0840ede9dfb4c3c52fa0da5f38089ac7f2afbd94d867

 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

Stay up-to-date on the latest threats

Join a group of 7,000 IT and security pros who get clear, actionable takes on malware and infosec news.

Subscribe

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.