US federal authorities are assessing cyber criminals are likely using Internet query (IQY) files in their phishing campaign emails targeting US businesses, indicating a new tactic, technique, and procedure (TTP).  IQY files are a specific file format used to import data from external sources such as remote servers into Excel spreadsheets, where it is then executed on the computers. In cybercriminal phishing attempts, a malicious web server URL was put into the IQY file attached to the email to bypass computer security and email filters.[1]  Historically, most cybercriminal phishing campaigns used embedded macros or executables in order to run malicious code.  By using IQY files, the malicious email has a higher chance of success by circumventing computer network and email filters due to a lack of malicious code embedded in the email attachment, with the IQY file using a simple web URL as its payload.


Many computer network security monitors allow the email attachments to be received. Since IQY files have not been reported as being used maliciously until late May 2018, this TTP allows cyber criminals the benefit of bypassing web and email filters due to lack of security awareness of IQY files.  Once a malicious IQY file is opened, a second stage of the cyber exploitation starts by retrieving a malware payload from a remote computer for the victim to download and execute.

According to a blog post by a cyber security company on 16 August 2018, researchers reported the name of a major US bank was exploited during a phishing campaign with millions of emails distributing Marap. Marap is a loader used as a computer reconnaissance tool for cyber attackers to have a better understanding of the victim computer, and can be used to download other malware after a computer is infected.  Its purpose is to remain undetected due to its limited capability, allowing for a lower malicious signature on a computer system.  The malicious emails used IQY files to link the victims to the malware for download.  Once the loader was executed on a victim’s computer system, a malicious file was used to fingerprint the victim computer system for anti-virus software, victim computer Internet protocol (IP) address, country, language, and computer operating system version.  Cyber criminals use fingerprinting as a way to do reconnaissance on a computer system to look for ways to exploit the computer system or as a method of avoiding detection by cyber security researchers looking for their cyber-attacks.

Botnets have used IQY files to distribute multiple types of malware as well as phishing emails since May 2018, according to analysts and open source information. For example, on a cyber security blog post dated 5 September 2018, researchers captured more than 780,000 phishing emails that came from a botnet’s global spam campaign, pretending to be business emails.

Analysts assess the number of cyber criminals using malicious IQY files likely will increase in the near term as the cyber exploit becomes more widely known.  When a TTP becomes publicized and seen as effective, cyber criminals quickly adopt the new TTP for their cyber exploitation. If the malicious use of IQY files remains unchecked, less sophisticated cyber criminals will adopt the TTP, widening the demographics targeted and increasing the victim pool due to a larger amount of spam campaigns using the TTP.


Analysts suggest precautionary measures to mitigate the threat, such as:

  • Conduct end user education and training on the threat of phishing emails.
  • Continue to educate employees on scrutinizing links contained in emails, and not opening attachments included in unsolicited emails.
  • Consider adding an email banner alerting when an email comes from outside your organization, so that it is easily noticed.
  • Implement application whitelisting to block execution of malware, or at least block execution of files from TEMP directories, from which most phishing malware attempts to execute.
  • Recommend stripping .iqy binary attachments from inbound email at the gateway.
  • Implement procedures to detect suspicious activity and process patterns, such as remote scripts, and block this behavior before it can download any payloads. For example, Excel attempting to launch the Command Prompt (cmd.exe) and PowerShell in an attempt to download something from the Internet.
  • Utilize threat intelligence sharing to stay informed of advanced threats.
  • Continuously monitor security industry reporting pertaining to third-party or free software used by your organization. This reporting can often identify when this software has been incorporated in a malicious scheme.

For questions or comments regarding this report, please contact the Lab directly by at 844-4-WAPACK (1-844-492-7225), or feedback@wapacklabs.com

[1] FBI PIN Number - 20181220-001

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance