Comments

Necurs delivering Flawed Ammy RAT via IQY Excel Web Query files — 4 Comments

  1. Received one of these emails today from Lousia.Staines@my_isp_domain with the subject Unpaid invoice [ID:309117242] and an attachment with the iqy extension. Had a look at the file in a text editor. The email headers have client-ip=41.73.14.134

    I downloaded the file 2.dat listed in the .iqy attachment with wget and had a look in a text editor. Exactly as you describe in this article. Looks like the server the file 2.dat was intended to be downloaded from has been taken offline anyway which removes the threat of this particular attachment.

    Thanks a lot for the well written article. Explains very clearly what the attachment does. Satisfied my curiosity about this one.

    • Target: 41.73.14.134
      IP: 41.73.14.134
      ASN: AS37004 Suburban-Broadband-AS
      City: Suleja
      Country: Nigeria
      Country Code: NG
      ISP: Suburban-Broadband
      Latitude: 9.1805
      Longtitude: 7.1793
      Organization: Suburban-Broadband
      Region Code: NI
      Region Name: Niger State
      Timezone: Africa/Lagos

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.