Recent spam campaigns powered by Necurs uses Internet Query File attachments

Trend Micro experts reported the Necurs botnet has been using Internet Query (IQY) files in recent spam campaigns to bypass security protections.

The Necurs botnet is currently the largest spam botnet, it has been active since at least 2012 and was involved in massive campaigns spreading malware such as the Locky ransomware, the Scarab ransomware, and the Dridex banking Trojan.

In the campaign observed in April, botmaster leveraged .URL files with modified icons to deceive recipients and trick them into believing they are opening a different file type.

Necurs has now adopted a new tactic to avoid detection, operators now leverage text files with a specific format, IQY files that allow users to import data from external sources into Excel documents, and Windows automatically executes them in Excel.

The campaigns using IQY file attachments feature subject and file names containing terms that refer to sales promotions, offers, and discounts.

“The new wave of spam samples has IQY file attachments. The subject and attachment file contains terms that refer to sales promotions, offers, and discounts, likely to disguise it as the type of information opened in Excel.” reads the report published by Trend Micro.

Once executed, the IQY file queries to the URL in its code to fetch data and insert it into an Excel worksheet.

The data contains a script that exploits Excel’s Dynamic Data Exchange (DDE) feature to execute a command line and launch a PowerShell process to execute a remote PowerShell script directory in the memory of the target system.

The script downloads a Trojanized remote access application and the final payload, the FlawedAMMYY backdoor. The backdoor borrows the code of the Ammyy Admin remote access Trojan.

The extra layer of evasion implemented in Necurs make the botnet even more insidious as explained by the experts.

“Adding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of plaintext files, which makes the attached IQY file’s URL the only indication of malware activity. In addition, its structure is the same as normal Web Queries. Therefore, a security solution that blocks malicious URLs could be used to defend against this threat,” Trend Micro concludes.

Experts highlighted that users receive two warning messages upon execution of the IQY file attachment, for this reason, it is essential to pay attention to any warning to neutralize the attack.

Pierluigi Paganini

(Security Affairs – Necurs, Spam Botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]