Necurs spread 780,000 Emails With Weaponized IQY Files

Posted by & filed under Security Alerts.

Necurs botnet distributed over 780,000 emails in five campaigns earlier this year, all containing weaponized IQY files – the latest method for delivering malware. The volume is quite low for a botnet responsible for 60% of the world’s spam traffic in the last quarter of 2017.


However, the use of weaponized IQY files is a rising trend in malspam campaigns, with Necurs being first spotted to distribute malware using this type of files on March 25.

IQY files are basically text documents that can contain a web location for importing data into Excel spreadsheets; they are common in enterprise networks, where employees use them for collaboration purposes. They are not a threat in themselves but the information retrieved from an external source can contain malicious code.

Microsoft Office does not allow automatic execution of code from an IQY and asks for user permission to do so. But a well-crafted email may trick the user into enabling data connections in IQY files.

Emails sent over a period of a month and a half

IBM X-Force caught the 780,000 emails that Necurs operators laced with weaponized IQY files between late May and mid-July.

As observed by the researchers, Necurs spam factory sent out on May 25 over 300,000 messages. The second campaign on June 7 delivered about 200,000 emails.

The numbers spiraled down in the next spam bursts, with over 150,000 emails distributed on June 13, and less than 100,000 on July 13. The last throb was recorded on July 17 and was the weakest one, distributing less than 50,000 messages.


Some of the emails purported to be unpaid invoices, a common pretext that lures the victim into accessing the URL inside the IQY file. When the connection was approved, the embedded URL provided a remote access tool called FlawedAmmyy RAT, whose source code was leaked in March.

Other malware delivered by Necurs include Marap and Quant Loader, two downloaders that can funnel in various types of threats. Cybercriminals are constantly looking to change their game by using file types that are typically overlooked as a potential threat.

“To ensure that their malicious emails reach recipients and do not end up blocked by email filters, cybercrime groups shuffle their tactics all the time, delivering booby-trapped files in many shapes throughout the year,” X-Force researchers note.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.