Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Necurs Campaign Uses Internet Query File Attachments

The Necurs botnet has been using Internet Query (IQY) files in recent waves of spam attacks in an ef

The Necurs botnet has been using Internet Query (IQY) files in recent waves of spam attacks in an effort to thwart security protections.

Active since at least 2012 and currently considered to be the largest spam botnet, the operation has been famous for powering massive Locky ransomware campaigns in 2016 and 2017. The botnet ended last year with a spike in activity and was sending tens of millions of spam emails daily.

This pas April, the botnet was observed using .URL files with modified icons to trick users into believing they are opening a different file type. The files would leverage the Server Message Block (SMB) protocol to execute a payload from a remote server, thus successfully evading certain spam filters.

Necurs has now switched to a new tactic to avoid detection and increase chances of successful infection. Text files with a specific format, IQY files allow users to import data from external sources into Excel spreadsheets, and Windows automatically executes them in Excel.

The spam emails using IQY file attachments feature subject and file names containing terms that refer to sales promotions, offers, and discounts, Trend Micro reveals in a new report.

Once executed, the IQY file queries to the URL indicated in its code. This results in data being pulled from the targeted URL into an Excel worksheet.

The fetched data, Trend Micro discovered, contains a script that abuses Excel’s Dynamic Data Exchange (DDE) feature to execute a command line and start a PowerShell process. Through this process, a remote PowerShell script is executed filelessly on the targeted system.

The script was designed to download an executable file, a Trojanized remote access application, and its final payload: the FlawedAMMYY backdoor. The malware was supposedly built using the leaked code of the Ammyy Admin remote access Trojan.

Advertisement. Scroll to continue reading.

As part of more recent attacks, the script would download an image file before the final payload. This image, the security researchers say, is a disguised malware downloader that fetches an encrypted component file containing the sam
e main backdoor routines.

FlawedAMMYY was designed to execute a series of commands from a remote malicious server, including file manager, view screen, remote control, audio chat, RDP SessionsService – Install/Start/Stop/RemoveDisable desktop background, disable desktop composition, disable visual effects, and show tooltip – mouse cursor blinking cause.

“Adding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of plaintext files, which makes the attached IQY file’s URL the only indication of malware activity. In addition, its structure is the same as normal Web Queries. Therefore, a security solution that blocks malicious URLs could be used to defend against this threat,” Trend Micro notes.

To stay protected against such threats, strict security protocols and best practices are essential. Also, because this is a known attack vector, users receive two warning messages upon execution of the IQY file attachment, paying attention to those warnings can stop the infection.

Related: Necurs Botnet Fuels Massive Year-End Ransomware Attacks

Related: Macro-Based Multi-Stage Attack Delivers Password Stealer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...