A few days ago a new attack method of the Botnetes Necurs became known. This distributed a remote access Trojan (name: Flawed Ammy) using Excel Web Query and Internet Inquiry files.
Advertising
RAT is the acronym for Remote Access Trojans and Necurs is a botnet. Flawed Ammyy RAT is a Trojan that was probably developed from a legal software, the Ammy Admin Remote Desktop Software version 3. This article contains a note that the Trojan was distributed by mail. Now there is a new attack vector that uses query files.
The site MyOnline-Security came across this method of attack last week. The Necurs botnet tries to distribute the Trojan using iqy files, which are Excel web queries and Internet queries. And there is the approach to try the same by SYLK file (see the article here).
The files are simple text files with a URL that downloads everything at the end of the URL when opened in Excel ("default for iqy files"). This also makes it possible to download malware from the Internet that may be ignored by antivirus software because the source files do not contain malware.
In this specific case, Flawed Ammyy RAT is probably downloaded from the Internet using these query files. The information can be found in this blog post. It is also explained there that you can prevent such files from being loaded in the Trust Center of Excel. At the moment I cannot assess the risk of this method of attack. However, administrators in company environments should know the attack path and, if necessary, prevent the files from being opened.
