IQY Attachment Malspam Campaign

Antivirus platform Barkly published a report on a new malspam (malware spam) campaign spread via the Necurs botnet and targeting users by taking advantage of Microsoft Excel’s .iqy file type. When these files are opened, a connection is made to a website listed within the file and then pulls data from that website into an Excel spreadsheet. This data executes a PowerShell script that then installs the FlawedAmmyy remote access trojan, providing attackers with remote access to administrative functions on the infected device. This attack has evaded antivirus detection as its file content is not explicitly malicious. If Excel is configured to block external content, which is often the default, users will be prompted with a “Microsoft Excel Security Notice” when an .iqy file type is opened. Users are advised to select “disable” to prevent the malicious script from executing. Emails sent with this campaign include subject lines referencing unpaid invoices, scanned document attachments, or purchase orders and may come from an email address seemingly internal to your organization. The NJCCIC recommends all users and administrators review the Barkly report for more information on this malspam campaign and apply the recommendations provided, including preventing Excel from starting other applications or creating external connections, adjusting firewall settings and email filters to block .iqy files, orif this file type is necessary for your operations, set the default option to open within Notepad where the malicious script will not run. Users should also refer to the NJCCIC’s General Cybersecurity Best Practices guide for tips to increase email security.