Spamruns using iqy files

Spamruns using iqy files

DearBytesAlertsSpamruns using iqy files

What is going on?

A recent spamrun was attaching “.iqy” files to emails. This seems to be a new trick used by malware authors. The “.iqy” files allow attackers to load and execute arbitrary script when a user opens the file. The initial spamrun reportedly failed. Since the use of the file was not broadly known DearBytes expects future spam-runs as not all organisations filter the “.iqy” file extension. DearBytes advises organizations to implement e-mail filters to keep the “.iqy” file format out. As a measure of defence in depth it is advised to implement a GPO blocking the use of DDE. The initial spamrun looked like the following:

Who does this apply to?

This applies to any user/organisation using the Windows operating system in combination with Excel. Filtering for the “.iqy” format on incoming e-mails/downloads is advised.

What is DearBytes doing?

DearBytes managed services has updated the filters for DearMail and implemented a McAfee access protection rule blocking “EXCEL.exe” from reading “.iqy” files. Our SOC is currently monitoring if the access protection rules are triggered and for any signs of spam-runs employing the same trick.

What can you do?

The execution relies on the Excel Dynamic Data Exchange (DDE) to execute commands. Microsoft has released a GPO allowing administrators to disable the DDE feature rendering the attack ineffective.