August 24, 2018 By David Bisson 2 min read

Spammers are targeting financial institutions using Excel Web Query (IQY) files that conceal a new downloader malware.

On Aug. 10, researchers at Proofpoint observed four large spam email campaigns. One of the campaigns carried undisguised IQY attachments with names such as “sales” and “major bank” to prey upon financial organizations. Two of the other operations passed around IQY files hidden within ZIP archives or embedded in PDF documents, while the other campaign used Microsoft Word documents containing malicious macros.

All of these attachments led to the same payload: Marap, a downloader malware that uses a custom application programming interface (API) hashing algorithm, timing checks and media access control (MAC) address comparisons to avoid analysis by security professionals. Marap has the ability to download other modules and payloads, including a fingerprinting plugin that steals and exfiltrates key system information.

Attackers Shift Focus to IQY Files

Marap isn’t the first malware to rely on IQY attachments for distribution. Trend Micro recently discovered a campaign in which Necurs, a botnet that has a history with malicious spam, used IQY file attachments to begin a PowerShell process and thereby download the backdoor FlawedAMMYY. Soon after making that observation, researchers at the Japanese security firm detected the Cutwail botnet leveraging IQY files to target Japanese users with BEBLOH or URSNIF malware.

Security researchers at Barkly noted that malware actors are increasingly turning to IQY files. These attachments appeal to digital attackers because they are capable of bypassing most filters and antivirus software, since Microsoft Excel can legitimately use this type of file format to download web data directly into a spreadsheet.

How Can Financial Companies Defend Against Malicious IQY Files?

Given the growing preference for IQY files among digital attackers, security professionals should update their firewalls and email filtering tools to block these attachments outright. Information security professionals should also use real-time threat intelligence sharing to stay informed of advanced threats like Marap.

Sources: Proofpoint, Trend Micro, Trend Micro(1), Barkly

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today