- s68OR1538962127 - Hackers Now Spreading Dangerous FlawedAmmyy Malware via IQY File

Cyber criminals now using IQY Files as a new technique for spreading which is a dangerous backdoor tool that provides remote access to the attacker.

Attacker nowadays using new sophisticated techniques to compromise the targets by evading the and keep increasing the compromise success ratio.

Recently attackers using Weaponized Microsoft Publisher File(.pub)Microsoft Word and PDF Documents to deliver the FlawedAmmyy RAT.

Unlike previous infection Word document, Script, JAVA files and the current method of infection are used by new IQY type an Excel Web Query that is used to download from the .

The targeted FlawedAmmyy malware campaigns have affected the banking sector and automotive industries.

FlawedAmmyy Malware Infection Process

Attackers initially using spam or spear phishing email campaign that contains attached IQY file and PDF file.

A body of the mail content prompt victims to click and open the attached PDF file that drops embedded IQY file.

- IQY - Hackers Now Spreading Dangerous FlawedAmmyy Malware via IQY File

A script that works along with the PDF file helps to export the IQY files from PDF using a function called “exportDataObject”  and the file export process continue by display a  ‘open file’ dialog box.

According to QuickHeal research, The script inside of the PDF file contains “cName” parameter is a required input and the specific file attachment that will be exported. A nLaunch value of “2” directs acrobat to save the file attachment to a temporary file and then asks the operating system to open it. This is how the code is used to open the attachment file in PDF.

- c 2 - Hackers Now Spreading Dangerous FlawedAmmyy Malware via IQY File

Once user click OK then the file will be opened in  .iqy files that will lead to retrieving the content from the URL in the file but user needs to enable the security checks.

After enabling the security concern checks then IQY file download at %temp% location of machine and executed and the PowerShell Process will begin.

- powershell - Hackers Now Spreading Dangerous FlawedAmmyy Malware via IQY File

Finally, the PowerShell script will download the exe files and execute the backdoor FlawedAmmyy that performs various malicious activities such as let attack allow to remotely control the machine, manages the files, captures the screen.






Source link


Please enter your comment!
Please enter your name here