Spammers Use iqy Files to Deliver Remote Access Trojan

Macros have long been favored by cybercriminals as a method of installing malware. The macros launch VB, JavaScript and PowerShell scripts that download malware. Due to potential threat, security teams often disable macros or at least configure end points to require macros to be manually enabled by end users. The risk of running macros is also usually covered in security awareness programs. It is now harder for cybercriminals to install malware using this technique.

At least one cybercriminal gang is now taking a different approach to get malware installed. Multiple campaigns have been identified that use Excel Query Files – extension .iqy – to install malware. The campaigns are being used to install a remote access Trojan – FlawedAmmyy – that gives the attackers root access on an infected device and full control of an infected computer. Spam messages containing the malicious Excel Query files are being delivered via the Necurs botnet in high volume.

The campaigns, detailed in a recent report from Barkly, involve emails with subject lines related to unpaid invoices and internal communications such as scanned documents – Common email types used to spread malware via malicious attachments.

Since this file type has not been extensively used in the past to deliver malware, the threat is unlikely to have been covered in security awareness training sessions.

Provided Microsoft Office is configured to block external content, warnings will be displayed. An end user who attempts to open an .iqy file will be presented with a warning from Microsoft about the risk of running these files. If the first warning is ignored, a second warning will be presented. End users will be required to accept the risks on two occasions for the malicious file to run.

Excel Query Files allow external content to be imported into Excel. Running the file will pull in content from a listed source and incorporate the information into a spreadsheet. However, in addition to adding content, the files can launch programs – legitimate programs such as notepad.exe or in this case, PowerShell commands.

Since these file types have rarely – if ever – been used to install malware, most AV solutions will not scan the files. Consequently, these spam messages are often delivered to end users’ inboxes. The files are incredibly simple, easy to create, yet they can easily start a chain of events that will result in the downloading of malware.

Once the RAT has been installed, the attackers have full access to stored data and can download malicious software of their choosing onto an infected device.

End users with a spam filtering solution in place should configure the software to block or quarantine .iqy files. Security teams should also consider sending a warning to end users about these campaigns and the danger of opening .iqy files.

If an organization uses this file types, and blocking them is not an option, Windows should be instructed to launch the files in Notepad to allow them to be inspected before they are run.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of