Have you ever walked through a store and spotted an item that looked strange to you, but you put it in your cart anyway? Maybe it was appealing because it was something new you wanted to check out. Maybe it was shiny — you had to have it. If so, threat actors are looking for shoppers just like you. They constantly distribute new “products,” typically in the shape of crafty email spam, to lure the unsuspecting user. A recent wave of malicious “products” has hit the virtual high streets in the form of unsolicited email with internet or web query file (IQY) attachments.
IQ What? Why?
What is an IQY file attachment, and why is it the flavor of the month for threat actors? Microsoft Excel uses this type of file to pull data from the internet into a spreadsheet. To do that, a URL is embedded into an IQY file, and the file facilitates pulling the data from the specified webpage.
While IQY file extensions may sound foreign to many users, if you look at enterprise-level networks that use SharePoint, a web-based collaborative platform that integrates with Microsoft Office, for example, you would be sure to find many instances where IQY files are used.
These files help network users share and edit Excel spreadsheets, among other uses. As you can imagine, a common productivity file with an embedded URL could easily be used for nefarious purposes. This is why these types of files are not made to run code without interacting with the user. To prevent their content from loading automatically, a security prompt is built into the file asking the user if he or she would like to “enable” a data connection when opening an IQY file.
Figure 1: Warning box asking user to “enable” or “disable” a data connection in an IQY file (Source: IBM X-Force)
Small and Handy — In the Wrong Hands
IQY files are attractive to threat actors for a couple of reasons. For one, they are easy to create. An IQY file can be created by using a text editing program. Threat actors can insert their malicious instructions into the text editor along with an actionable URL and save it with an “.iqy” extension. They can then use the file to deliver malicious code directly from their malware infection zones. IQYs are also small and inconspicuous, making them easier to plant in an unsolicited email.
This type of file attachment is relatively unusual and not commonly seen attached to emails, and that is why it can be interesting to an attacker. Attackers constantly shuffle file types in their spam campaigns in an attempt to create an element of surprise for unsuspecting users. They are also trying to catch security solutions off guard, especially those that filter common file types and extensions used in phishing and malware infection campaigns.
Some recent statistics from IBM X-Force research revealed that the use of IQY files in spam campaigns has been on the rise in recent months. One major malspam distributor, the Necurs Botnet, was observed using weaponized IQY file attachments for the first time starting on May 25, 2018.
Between late May and mid-July 2018, IBM X-Force researchers captured over 780,000 spam emails that came from Necurs resources in their spam traps. All of those messages contained IQY attachments.
Figure 2: IQY attachment spam campaigns spewed by the Necurs Botnet (Source: IBM X-Force)
Figure 3: Example of email message with IQY attachment (Source: IBM X-Force)
Upon further analysis of the emails captured in our spam traps, the IQY attachments were confirmed to contain malicious URLs. Once users were lured into executing the connection to the embedded URL, the chain of infection on the device was set in motion. This led to the eventual download of the FlawedAmmy RAT, a malicious remote access tool of which source code was leaked in March 2018, giving rise to numerous campaigns that spread this malware to hundreds of thousands of users.
Below are some examples of malicious URLs contained inside Necurs IQY attachments in campaigns X-Force followed:
Enough IQY Files to Go Around
In mid-July 2018, a threat actor group known as DarkHydrus also began using malicious IQY attachments. DarkHydrus’ spear phishing emails contained Roshal Archive Compressed (RAR) files that concealed a weaponized IQY file. According to SecurityWeek, the URL inside the IQY file led to running a PowerShell script on the victim’s device to set up a backdoor. The campaign is believed to have been nation-state motivated.
Another instance yet: The most recently observed use of malicious IQY attachments came from the Marap downloader malware. The Marap phishing email campaign started in August 2018. IBM X-Force researchers were able to capture emails from this campaign starting on August 10, 2018, confirming they included malicious IQY file attachments.
Figure 4: Necurs-borne email hauling IQY attachment that fetches the Marap malware (Source: IBM X-Force)
IQY — You Know Why…
Using various and often little-known file types and extensions in spam email is a growing trend among major botnet and spam distributors. To ensure that their malicious emails reach recipients and do not end up blocked by email filters, cybercrime groups shuffle their tactics all the time, delivering booby-trapped files in many shapes throughout the year.
Since IQY files are inherently useful and prevalent on many enterprise networks, some security practices can help mitigate the risk associated with them without having to block the use of those files altogether.
Useful Tips for Defenders
- One of the best defense strategies is to spread the word about popular spammer tactics. Ensure that everyone within your organization is aware of the dangers that IQY files pose. As their popularity in spam campaigns rises, incorporate IQY files into organizational antispam and phishing training.
- If IQY files are not used within your environment, they can be blocked with group policies. System administrators can modify Trust Center settings to disable data connections initiated from within Excel spreadsheets.
- If IQY files are required on your organization’s networks, get creative with advanced email filtering rules. Some email security solutions give the option to inspect the contents of an email attachment. Keep in mind that blocking specific malicious content found in an attachment could still allow legitimate IQY files through.
- Use IP whitelisting in email filtering rules for allowed senders of IQY files. Be cautious of using domain whitelisting rules because threat actors commonly spoof email domains during spear phishing attempts.
- Keep up to date on emerging threats and indicators of compromise (IoCs) gleaned from them. Block access to known malicious URL IoCs that current threat actors are using in IQY files.
- Ensure your security information and even management (SIEM) systems can identify threats, especially unknown ones. IBM’s QRadar SIEM uses analytics and intelligence to identify indicators of advanced threats that might otherwise go unnoticed.