Recent spam campaigns powered by Necurs uses Internet Query File attachments

Trend Micro experts reported the Necurs botnet has been using Internet Query (IQY) files in recent spam campaigns to bypass security protections.

The Necurs botnet is currently the largest spam botnet, it has been active since at least 2012 and was involved in massive campaigns spreading malware such as the Locky ransomware, the Scarab ransomware, and the Dridex banking Trojan.

Necurs is the world’s largest spam botnet, it is composed of millions of infected computers worldwide.

The Necurs was not active for a long period at the beginning of 2017 and resumed its activity in April when it was observed using a new technique to avoid detection.

In the campaign observed in April, botmaster leveraged .URL files with modified icons to deceive recipients and trick them into believing they are opening a different file type.

Necurs has now adopted a new tactic to avoid detection, operators now leverage text files with a specific format, IQY files that allow users to import data from external sources into Excel documents, and Windows automatically executes them in Excel.

The campaigns using IQY file attachments feature subject and file names containing terms that refer to sales promotions, offers, and discounts.

“The new wave of spam samples has IQY file attachments. The subject and attachment file contains terms that refer to sales promotions, offers, and discounts, likely to disguise it as the type of information opened in Excel.” reads the report published by Trend Micro.

Once executed, the IQY file queries to the URL in its code to fetch data and insert it into an Excel worksheet.

The data contains a script that exploits Excel’s Dynamic Data Exchange (DDE) feature to execute a command line and launch a PowerShell process to execute a remote PowerShell script directory in the memory of the target system.

The script downloads a Trojanized remote access application and the final payload, the FlawedAMMYY backdoor. The backdoor borrows the code of the Ammyy Admin remote access Trojan.

In recent attacks, the script was used to download an image file before the final payload. The image is a disguised malware downloader that fetches an encrypted component file containing the same backdoor routines.

“The PowerShell script enables the download of an executable file, a trojanized remote access application, and its final payload: the backdoor FlawedAMMYY (detected as BKDR_FlawedAMMYY.A). This backdoor appears to have been developed from the leaked source code of the remote administration software called Ammyy Admin.” continues the analysis.

“In a more recent spam wave, the script downloads an image file before the final payload. The downloaded image is a disguised downloader malware (detected as BKDR_FlawedAMMYY.DLOADR) that downloads an encrypted component file (detected as BKDR_FlawedAMMYY.B) containing the same main backdoor routines.”

FlawedAMMYY implements common backdoor features, it allows attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService and much more.

The extra layer of evasion implemented in Necurs make the botnet even more insidious as explained by the experts.

“Adding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of plaintext files, which makes the attached IQY file’s URL the only indication of malware activity. In addition, its structure is the same as normal Web Queries. Therefore, a security solution that blocks malicious URLs could be used to defend against this threat,” Trend Micro concludes.

Experts highlighted that users receive two warning messages upon execution of the IQY file attachment, for this reason, it is essential to pay attention to any warning to neutralize the attack.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Necurs, Spam Botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.