A new spam campaign has been spotted distributing the Buran Ransomware through IQY file attachments. When opened, these Microsoft Excel Web Query attachments will execute a remote command that installs the ransomware onto a victim’s computer.
A new malspam campaign was discovered by security researcher Suspicious Link that pretends to be a simple fwd of a previous email stating that the user should “Print document in attach”.
This attached document is an IQY file that when opened will execute a web query, or remote command, given by a remote server that uses PowerShell to install the Buran Ransomware. IQY files, they are Excel Web Query documents that when opened will attempt to import data into a worksheet using external sources. For example, as shown below, the attached IQY file is simply a text file that specifies its data will come from the web and be retrieved from the listed URL.
The data returned from an external source can also be an formula that is then executed by Excel when the IQY file is opened. In this particular case, the formula will launch a PowerShell command that downloads a remote Buran Ransomware executable named 1.exe, saves it to the Temp folder, and then executes it.
Like malicious macros, users first need to enable the data source, but as we have seen with other spam campaigns, too many people blindly click on the Enable button.
If the user clicks on Enable, the 1.exe file will be downloaded and executed, which will start to encrypt the files on the computer.