Malspam campaigns, such as ones being distributed by Necurs, are utilizing a new attachment type that is doing a good job in bypassing antivirus and mail filters. These IQY attachments are called Excel Web Query files and when opened will attempt to pull data from external sources.
The problem is that the external data being imported by the spreadsheet can also be a formula that will be executed by Excel. These formulas can then be used to locally launch PowerShell scripts that download and install malware onto the computer, which is explained later in the article.
Three malspam campaigns detected utilizing IQY attachments
According to a
report by Barkly, there have been three spam campaigns utilizing IQY attachments. The first one was discovered on May 25th by MyOnlineSecurity where
he reported how well they were bypassing AV filters. A second campaign was discovered by security researcher
Magni R. Sigurdsson, and a third campaign was
discovered again by MyOnlineSecurity today.
The spam emails pretend to be purchase orders, scanned documents, or unpaid invoices that contain IQY attachments as shown below.
..... .... ........