{
	"id": "9a290dac-a298-49d6-91f7-18f86763742a",
	"created_at": "2026-04-06T00:12:52.078298Z",
	"updated_at": "2026-04-10T03:21:20.03651Z",
	"deleted_at": null,
	"sha1_hash": "83f8fb01b31a30dbb40d8ee2efd6314836cc72bc",
	"title": "Necurs Poses a New Challenge Using Internet Query File",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67376,
	"plain_text": "Necurs Poses a New Challenge Using Internet Query File\r\nPublished: 2018-06-22 · Archived: 2026-04-05 14:28:32 UTC\r\nOur last report on the Necurs botnet malware covered its use of an internet shortcut or .URL fileopen on a new tab to\r\navoid detection, but its authors seem to be updating it again. Current findings prove that its developers are actively\r\ndevising new means to stay ahead of the security measures meant to thwart it. This time, the new wave of spam from\r\nthis botnet is using the internet query file IQY to evade detection.\r\nNecurs has cropped up in various cyberattack reports through the years, including a 2017 incident in which it was\r\nused to distribute Lockyopen on a new tab ransomware. Its current use of the IQY file type as an initial infection\r\nvector makes it notable. IQY files are also text files with a specific format. Its purpose is to allow users to import data\r\nfrom external sources to the user’s Excel spreadsheet. By default, Windows recognizes IQY files as MS Excel Web\r\nQuery Files and automatically executes it in Excel. \r\nThe role of IQY files\r\nThe new wave of spam samples has IQY file attachments. The subject and attachment file contains terms that refer to\r\nsales promotions, offers, and discounts, likely to disguise it as the type of information opened in Excel.\r\nintel\r\nFigure 1. Sample email that has IQY attachment\r\nOnce the user executes the IQY file it queries to the URL indicated in its code, the web query file pulls data — 2.dat\r\nin the sample — from the targeted URL into an Excel worksheet.\r\nintel\r\nFigure 2. Code snippet of the sample IQY file\r\nCloser examination of the pulled data shows that it contains a script that can abuse Excel’s Dynamic Data Exchange\r\n(DDE) feature, enabling it to execute a command line that begins a PowerShell process. This process allows the\r\nfileless execution of the remote PowerShell script, seen as 1.dat in the sample.\r\nintel\r\nFigure 3. Code snippet of the pulled data\r\nintel\r\nFigure 4. Code snippet of the PowerShell script\r\nThe PowerShell script enables the download of an executable file, a trojanized remote access application, and its final\r\npayload: the backdoor FlawedAMMYY (detected as BKDR_FlawedAMMYY.A). This backdoor appears to have\r\nbeen developed from the leaked source code of the remote administration software called Ammyy Admin.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-new-challenge-using-internet-query-file/\r\nPage 1 of 3\n\nIn a more recent spam wave, the script downloads an image file before the final payload. The downloaded image is a\r\ndisguised downloader malware (detected as BKDR_FlawedAMMYY.DLOADRopen on a new tab) that downloads\r\nan encrypted component file (detected as BKDR_FlawedAMMYY.B) containing the same main backdoor routines.\r\nintel\r\nFigure 5. Infection chain starting with the attached IQY file\r\nThe backdoor FlawedAMMYY executes the following commands from a remote malicious server.\r\nFile Manager\r\nView Screen\r\nRemote Control\r\nAudio Chat\r\nRDP SessionsService - Install/Start/Stop/RemoveDisable desktop background\r\nDisable desktop composition\r\nDisable visual effects\r\nShow tooltip - mouse cursor blinking cause\r\nAdding this new layer of evasion to Necurs poses new challenges because web queries generally come in the form of\r\nplaintext files, which makes the attached IQY file’s URL the only indication of malware activity. In addition, its\r\nstructure is the same as normal Web Queries. Therefore, a security solution that blocks malicious URLs could be\r\nused to defend against this threat.\r\nSolutions and mitigation\r\nAgainst Necurs and other threats delivered via spam, employing strict security protocols and best practices can still\r\nmake a difference in defending against them. In this case, users should download and execute uncommon\r\nattachments with extreme caution.  Microsoft is aware of the abuse in DDE that this infection vector uses. This is\r\nwhy it issues two explicit pop-up warnings upon execution of the IQY file attachment, giving users a chance to\r\nreconsider opening the file.\r\nintel\r\nFigure 6. First pop-up warning\r\nintel\r\nFigure 7. Second pop-up warning\r\nNecurs' activities show that this botnet has all the signs of developing evasion techniques that might overtake an\r\nunpatched or outdated security solution. To protect against evolving spammed threats like Necurs, enterprises can use\r\nTrend Micro™ endpoint solutions such as Trend Microproducts Smart Protection Suitesopen on a new\r\ntab and Worry-Freeopen on a new tab™ Business Securityopen on a new tab. Both solutions protect users and\r\nbusinesses from threats by detecting malicious files and spammed messages, and blocks all related malicious\r\nURLs. Trend Microopen on a new tab Deep Discoveryopen on a new tab™ has a layer for email inspection that can\r\nprotect enterprises because it detects malicious attachment and URLs. Deep Discovery can detect the remote script\r\neven if it is not being downloaded in the physical endpoint.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-new-challenge-using-internet-query-file/\r\nPage 2 of 3\n\nTrend Microopen on a new tab™ Hosted Email Securityopen on a new tab is a no-maintenance cloud solution that\r\ndelivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted\r\nattacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365open on a new tab,\r\nGoogle Apps, and other hosted and on-premises email solutions. Trend Micro™ Email Reputation Services™ detects\r\nthe spam mail used by this threat upon arrival.\r\nTrend Microopen on a new tab™ OfficeScanopen on a new tab™ with XGenopen on a new tab™ endpoint security\r\ninfuses high-fidelity machine learningopen on a new tab with other detection technologies and global threat\r\nintelligence for comprehensive protection against advanced malware.\r\nIndicators of Compromise\r\nSHA-256s Detection Names\r\n30e2f8e905e4596946e651627c450e3cc574fdf58ea6e41cdad1f06190a05216 TROJ_CVE20143524.A\r\n0bd5f1573a60d55c857da78affa85f8af38d62e13e75ebdd15a402992da14b0b TROJ_MALIQY.A\r\n602a7a3c6a49708a336d4c9bf63c1bd3f94e885ef7784be62e866462fe36b942 TROJ_FlawedAMMYY.A\r\n7c641ae9bfacad1e4d1d0feef3ec9e97c55c6bd66812f5d9cf2a47ba40a16dd4 TROJ_FlawedAMMYY.A\r\n7f9cedd1b67cd61ba68d3536ee67efc1140bdf790b02da7aab4e5657bf48bb6f BKDR_FlawedAMMYY.DLOADR\r\na560c53982dd7f27b2954688256734ae6ca305cc92c3d6e82ac34ee53e88e4d3 BKDR_FlawedAMMY.ENC\r\nba8ed406005064fdffc3e00a233ae1e1fb315ffdc70996f6f983127a7f484e99 BKDR_FlawedAMMYY.B\r\nca0da220f7691059b3174b2de14bd41ddb96bf3f02a2824b2b8c103215c7403c BKDR_FlawedAMMYY.A\r\nd9cd31184c56931ae35b26cf5fa46bf2de0bdb9f88e5e84999d2c289cbaf1507 TROJ_POWLOAD.IQY\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-new-challenge-using-internet-query-file/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-new-challenge-using-internet-query-file/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-new-challenge-using-internet-query-file/"
	],
	"report_names": [
		"necurs-poses-a-new-challenge-using-internet-query-file"
	],
	"threat_actors": [],
	"ts_created_at": 1775434372,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/83f8fb01b31a30dbb40d8ee2efd6314836cc72bc.pdf",
		"text": "https://archive.orkl.eu/83f8fb01b31a30dbb40d8ee2efd6314836cc72bc.txt",
		"img": "https://archive.orkl.eu/83f8fb01b31a30dbb40d8ee2efd6314836cc72bc.jpg"
	}
}