Trend Micro experts reported the Necurs botnet has been using Internet Query (IQY) files in recent spam campaigns to bypass security protections.
The Necurs botnet is currently the largest spam botnet, it has been active since at least 2012 and was involved in massive campaigns spreading malware such as the Locky ransomware, the Scarab ransomware, and the Dridex banking Trojan.
Necurs is the world’s largest spam botnet, it is composed of millions of infected computers worldwide.
In the campaign observed in April, botmaster leveraged .URL files with modified icons to deceive recipients and trick them into believing they are opening a different file type.
Necurs has now adopted a new tactic to avoid detection, operators now leverage text files with a specific format, IQY files that allow users to import data from external sources into Excel documents, and Windows automatically executes them in Excel.
The campaigns using IQY file attachments feature subject and file names containing terms that refer to sales promotions, offers, and discounts.
“The new wave of spam samples has IQY file attachments. The subject and attachment file contains terms that refer to sales promotions, offers, and discounts, likely to disguise it as the type of information opened in Excel.” reads the report published by Trend Micro.
Once executed, the IQY file queries to the URL in its code to fetch data and insert it into an Excel worksheet.
The data contains a script that exploits Excel’s Dynamic Data Exchange (DDE) feature to execute a command line and launch a PowerShell process to execute a remote PowerShell script directory in the memory of the target system.
The script downloads a Trojanized remote access application and the final payload, the FlawedAMMYY backdoor. The backdoor borrows the code of the Ammyy Admin remote access Trojan.
In recent attacks, the script was used to download an image file before the final payload. The image is a disguised malware downloader that fetches an encrypted component file containing the same backdoor routines.
“The PowerShell script enables the download of an executable file, a trojanized remote access application, and its final payload: the backdoor FlawedAMMYY (detected as BKDR_FlawedAMMYY.A). This backdoor appears to have been developed from the leaked source code of the remote administration software called Ammyy Admin.” continues the analysis.
“In a more recent spam wave, the script downloads an image file before the final payload. The downloaded image is a disguised downloader malware (detected as BKDR_FlawedAMMYY.DLOADR) that downloads an encrypted component file (detected as BKDR_FlawedAMMYY.B) containing the same main backdoor routines.”
FlawedAMMYY implements common backdoor features, it allows attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService and much more.
The extra layer of evasion implemented in Necurs make the botnet even more insidious as explained by the experts.
“Adding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of plaintext files, which makes the attached IQY file’s URL the only indication of malware activity. In addition, its structure is the same as normal Web Queries. Therefore, a security solution that blocks malicious URLs could be used to defend against this threat,” Trend Micro concludes.
Experts highlighted that users receive two warning messages upon execution of the IQY file attachment, for this reason, it is essential to pay attention to any warning to neutralize the attack.