IQY Files Used to Evade AV, Download Malware via Excel

guest · Jun 8, 2018

IQY Files Used to Evade AV, Download Malware via Excel
Attackers are using a deceptively simple type of file attachment to bypass AV and trick users into downloading and running malicious scripts via Excel.
June 7, 2018
https://blog.barkly.com/iqy-file-attack-malware-flawedammyy

IQY files: Attackers have a new trick up their sleeves
Rather than using Word documents or other commonly abused attachment types, these campaigns are using .iqy files — essentially simple text files that open by default in Excel and are used to download data from the Internet.

What makes .iqy files dangerous is that they pack powerful utility — Excel expert Jon Wittwer describes them as "basically like having a web browser built into Excel" — into an incredibly simple, legitimate file format that doesn't give AVs much to work with. As researcher Derek Knight (@dvk01uk) points out, "These blow past all antiviruses because they have no malicious content."

While the dangers of .iqy files aren't entirely undocumented (security researcher Casey Smith pointed out their potential for phishing in 2015), the fact that they are being utilized in multiple Necurs campaigns means the genie is completely out of the bottle and more widespread abuse is likely on the way.
Click to expand...

Rasheed187 · Jun 10, 2018

Yes, it's really that simple. Simply block MS Office from running system tools like cmd.exe and powershell.exe, and the attack is blocked.

guest · Nov 18, 2019

Buran Ransomware Infects PCs via Microsoft Excel Web Queries
November 18, 2019
https://www.bleepingcomputer.com/ne...-infects-pcs-via-microsoft-excel-web-queries/

A new spam campaign has been spotted distributing the Buran Ransomware through IQY file attachments. When opened, these Microsoft Excel Web Query attachments will execute a remote command that installs the ransomware onto a victim's computer.

For those who are not familiar with IQY files, they are Excel Web Query documents that when opened will attempt to import data into a worksheet using external sources.
The problem is that the data returned from an external source can also be an formula that is then executed by Excel when the IQY file is opened. In this particular case, the formula will launch a PowerShell command that downloads a remote Buran Ransomware executable named 1.exe, saves it to the Temp folder, and then executes it.

Like malicious macros, users first need to enable the data source, but as we have seen with other spam campaigns, too many people blindly click on the Enable button.
Click to expand...

Users should block IQY files
This is not the first time we have seen malicious email campaigns utilizing IQY files to install malware.
In 2018, we also saw Web Queries being used to install RATs such as the AMMYY Admin program and also the Marap and Quant Loader malware in a Necurs campaign.

Due to their ability to execute almost any command on a victim's computer, Microsoft has blocked IQY files through Outlook on the Web and made it possible to block untrusted Microsoft Query IQY files in Windows through group policies.
Click to expand...

guest · Mar 10, 2020

Variant of Paradise Ransomware Targets Office IQY Files
March 10, 2020
https://threatpost.com/variant-of-paradise-ransomware-targets-office-iqy-files/153559/

A new variant of the Paradise ransomware attacks rarely-targeted Microsoft Office Excel IQY files, providing a new and relatively inobtrusive way to infiltrate and hijack an organization’s network, researchers have found.

Lastline Labs’ James Haughom discovered the variant in December in a spam campaign executed over two days that targeted an organization in Asia, he wrote in a blog post about the campaign published Tuesday.
The variant attempts to lure users into opening an IQY attachment that retrieves a malicious Excel formula from an attacker’s C2 server, he said.

“This formula, in turn, contains a command to run a PowerShell command that will download and invoke an executable,” Haughom said in the post.
“This file type can be leveraged to download an Excel formula (command) that could abuse a system process, such as PowerShell, cmd, mshta, or any other LoLBins (Living-off-the-Land Binaries),” Haughom explained. “As this is a legitimate Excel file type, many organizations will not block or filter it.”
Click to expand...

Indeed, if an organization does not have a security appliance that analyzes attachments, weaponized IQY files—which do not have a typical payload–will not flag as malware, he said.

The variant’s encryption also shows unique properties particularly in the algorithm used, which leverages the stream cipher Salsa20 to encrypt the victim’s files, he said. This makes it more difficult for security administrators to respond to the attack, Haughom said.

“The benefit of using this algorithm is that malware authors can implement it into their source code rather than calling functions from a crypto library,” he wrote. “This makes detecting the encryption routine more difficult, and also makes determining the type of encryption being used a bit more challenging for malware analysts.”
Click to expand...

Lastline: IQY files and Paradise Ransomware

Log in or Sign up

IQY Files Used to Evade AV, Download Malware via Excel

guest Guest

Rasheed187 Registered Member

guest Guest

guest Guest

Log in or Sign up

IQY Files Used to Evade AV, Download Malware via Excel

guest Guest

Rasheed187 Registered Member

guest Guest

guest Guest

Useful Searches