Researchers at IBM X-Force this week disclosed that both the Necurs Botnet, as well as DarkHydrus and the threat actor behind the Marap downloader, have all been observed utilizing weaponized IQY file attachments to deliver malware.
Microsoft Excel uses a URL embedded into an IQY file attachment to pull data from the internet into a spreadsheet (albeit after a security prompt for the user built into the file). Because IQY files are inconspicuous, it makes them an attractive target for threat actors to insert malicious URLs into them, which are then executed when a victim opens it, researchers said.
“This type of file attachment is relatively unusual and not commonly seen attached to emails, and that is why it can be interesting to an attacker,” Scott O’Neill, security researcher with X-Force, said this week in a
post. “Attackers constantly shuffle file types in their spam campaigns in an attempt to create an element of surprise for unsuspecting users.”
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
