{"id":86870,"date":"2018-10-03T15:35:14","date_gmt":"2018-10-03T10:05:14","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86870"},"modified":"2018-10-03T20:47:35","modified_gmt":"2018-10-03T15:17:35","slug":"emerging-trend-spreading-malware-iqy-files","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/emerging-trend-spreading-malware-iqy-files\/","title":{"rendered":"Emerging trend of spreading malware through IQY files"},"content":{"rendered":"

Nowadays attackers are searching for new techniques to spread malware, recently we came across a new emerging way to deliver malware through IQY file. Till now we had seen spread\u00a0of malware through various file types and chains such as Word document, Script, JAVA files.<\/p>\n

\"Fig
Fig 1: Attack chain<\/figcaption><\/figure>\n

IQY file is an Excel Web Query file that is used to download data from the internet. It contains a URL and other parameters needed to make queries over the internet. Infection sources are Spear phishing campaigns or Spam mails. It contains attached PDF or IQY files which spread this malware. These files have most recently been found in use by attackers to deliver RATs like FlawedAmmyy RAT (remote access trojan).<\/p>\n

\"Fig
Fig 2: Spam Mail<\/figcaption><\/figure>\n

Once the spam mail is received we have seen the attached PDF or IQY file, upon clicking on the pdf file, \u00a0a prompt message for open embedded IQY file is shown as displayed in the below figure.<\/p>\n

\"Fig
Fig 3: PDF attached iqy file<\/figcaption><\/figure>\n

The pdf file contains a script which is used to export iqy files from a PDF. \u2018exportDataObject\u2019 function will display a \u00a0\u2018open file\u2019 dialog box to keep users involved in the file-export process. The dialog box as shown in above figure. This function includes an input parameter for opening an attached file.<\/p>\n

In this case, \u2018importDataObject\u2019 function is used to import iqy file and give it the attachment name \u201c13082016.iqy\u201d. Here is the code to open the attachment in iqy:<\/p>\n

this[exportDataObject] ({ cname: \u201c13082016.iqy\u201d, nLaunch:2})<\/i><\/b><\/em><\/strong><\/p>\n

The \u201ccName\u201d parameter is a required input and specifies the specific file attachment that will be exported. An nLaunch value of \u201c2\u201d directs acrobat to save the file attachment to a temporary file and then asks the operating system to open it. This is how the code is used to open the attachment file in PDF.<\/p>\n

\"Fig
Fig 4: Script inside PDF file.<\/figcaption><\/figure>\n

After clicking on open file, Microsoft Excel automatically opens .iqy files, it will start and retrieve the content from the URL in the file. But Excel does not allow the download of data from the server, it has some security concern checks and in order to run the file, we need to click Enable.<\/p>\n

\"Fig
Fig 5: Security check<\/figcaption><\/figure>\n

After enabling the security checks .iqy file download at %temp% location of victim machine and executed. Below fig. shows the iqy file, it contains URL and some parameters.<\/p>\n

\"Fig
Fig 6: IQY file<\/figcaption><\/figure>\n

Once iqy file is executed it enables a command line that begins a PowerShell Process. This process allows fileless execution of the PowerShell script as shown in the below figure.<\/p>\n

\"Fig
Fig 7: PowerShell Command<\/figcaption><\/figure>\n

PowerShell command is stored in cell A0 and executed by Excel. It then executes a PowerShell command that downloads a string from URL inside that script and executes it using IEX parameter.<\/p>\n

\"Fig
Fig 8: PowerShell Script<\/figcaption><\/figure>\n

The PowerShell script downloads and executes the executable files, a remote access trojan activity did this backdoor FlawedAmmyy.<\/p>\n

The FlawedAmmyy RAT has been seen active seen mid of 2016, it implements common backdoor features. It allows attackers to remote control the machine, manages the files, captures the screen. The targeted campaigns have affected banking sector and automotive industry. \u00a0It is created via source code for version 3 of the Ammyy Admin remote desktop software. Quick Heal has proactively detected this FlawedAmmyy RAT with detection name as \u201cTrojan.Fuerboos\u201d.<\/strong><\/p>\n

Conclusion<\/b><\/strong>–<\/p>\n

Attackers are actively finding new ways to deliver malware to users, IQY files are one of them, so precaution is the best way to avoid this type of infection. Users need to be careful while opening attachments in suspicious mails.<\/p>\n

IoCs-<\/b><\/strong><\/p>\n

13cc8c748ab6beab2b942a9d04679511<\/p>\n

839e9a3ecec7e8f735875ec65f1466e0<\/p>\n

47205fbbb191dbcab606007fd7612ba7<\/p>\n

61fe083a43cb0c520f38537744f9ac83<\/p>\n

Detection names-<\/b><\/strong><\/p>\n

IQY.Downloader.32429<\/p>\n

IQY.Downloader.32431<\/p>\n

 <\/p>\n

Subject Matter Experts<\/strong><\/p>\n

Prashant Tilekar | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

Nowadays attackers are searching for new techniques to spread malware, recently we came across a new emerging way to deliver malware through IQY file. Till now we had seen spread\u00a0of malware through various file types and chains such as Word document, Script, JAVA files. IQY file is an Excel Web Query file that is used […]<\/p>\n","protected":false},"author":54,"featured_media":86886,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1214,164,21,24,303,5,304,293],"tags":[],"class_list":["post-86870","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-computer-security-terms-2","category-cyber-crime","category-email","category-malware","category-phishing","category-security","category-social-engineering-2","category-spam"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86870"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/54"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86870"}],"version-history":[{"count":18,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86870\/revisions"}],"predecessor-version":[{"id":86906,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86870\/revisions\/86906"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/86886"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}