Friday, August 10, 2018

New Threat Actor Group DarkHydrus latest malware uses Excel macro to launch Powershell

Palo Alto Networks Unit 42 detecked a malware dubbed DarkHydrus which contained an attachments that contained malicious Excel Web Query files (.iqy).  .IQY files are simple text files containing a URL which are opened by default by Excel. 

Microsoft Excel natively opens .iqy files and will use the URL in the file to obtain remote data to include in the spreadsheets. By default, Excel does not allow the download of data from the remote server, but will ask for the user’s consent by presenting the dialog box in Figure 1:

Figure 1 Excel security notice for .iqy files

By enabling this data connection, the user allows Excel to obtain content from the URL in the .iqy file. The contents within the releasenotes.txt file (SHA256:bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d)  contains the following formula that Excel will save to the A0 cell in the worksheet:


No comments:

Post a Comment