< Back to Blog

Hackers Weaponize Little-Known .IQY Excel Scripts

June 17, 2018

Windows and its Office progeny may be approaching middle age, but like mischievous teens, they always seem to be up to something new – or, rather, the hackers that have specialized in breaking through PC defenses are always finding new things to exploit. The latest exploit is based on a little-known (until now) file format, called .IQY – Internet Query Files, which work with Excel to download content from the web and insert it into the worksheet.

.IQY files are very small text files, and generally are used to insert data or text into an Excel spreadsheet from a remote source. Until now they have not been used in malware attacks – so AV programs have generally ignored them. This has given hackers an opportunity to pull off a major campaign, injecting DDE commands into Excel spreadsheets – bypassing active defenses and security solutions.

Those commands, true to their name, contact a malicious web server that installs a RAT, a remote administration tool called FlawedAmmyy that hackers can use to control a system. The .IQY files are embedded in spam e-mail distributed by the Necurs botnet, best known for distributing the Locky ransomware tool. The attack was first noticed on May 25th, according to IBM X-Force Exchange, when Necurs sent out tens of thousands of spam messages containing the poison .IQY files, as an attachment.

To protect themselves, users should have Office Protected View up and running, which will block the .IQY file from injecting the malware, unless the user approves. In addition, users should make a note of documents asking for their approval to “update data within the spreadsheet” that, too, can be a sure sign that the new .IQY attack has reached them. As usual, vigilance is the best defense to ensure online safety.

Votiro customers are protected from this kind of attack as Votiro’s Disarmer handles IQY files with ease. Have a free test of our capabilities here.