What is the Issue?
It has been discovered by Trend Micro that the Necurs malware, which was previously revealed as an internet shortcut, has now been found under the veil of the internet query file. These files innocently and typically allow users to import information from external sources to Excel spreadsheets.
Why is this noteworthy?
In a recent finding, a backdoor referred to as “FlawedAMMYY” was found to be the final payload distributed to users. This ultimately means that a remote user with malicious intent has access to affected systems via File Manager, View Screen, Remote Control, Audio Chat, RemoteDesktopProtocol (RDP), Disable Desktop Composition, Disable Visual Effects, and Show Tooltip.
What is the exposure or risk?
Spam emails containing this malware are more challenging than ever before to detect because the file type they are disguised as comes from Microsoft, a reputable technology company. With the ability to carry out the previously mentioned commands on systems, users are incredibly vulnerable to having their information recorded and stolen, and there is still the point that the malware leaves access for malicious parties to implement more attacks.
What are the recommendations?
Strict security protocols and security solutions that block malicious webpage links are preferred. Users should proceed with extreme caution when downloading unusual files and thoroughly check out emails that may be considered spam. Users can use endpoint solutions that carry out email inspection offered by SKOUT to provide deep discovery and protect against such attacks.
References:
- https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-new-challenge-using-internet-query-file/
- https://www.securityweek.com/necurs-campaign-uses-internet-query-file-attachments
If you have any questions, please contact our Security Operations Center.