Necurs botnet distributed over 780,000 emails in five campaigns earlier this year, all containing weaponized IQY files – the latest method for delivering malware.
The volume is quite low for a botnet responsible for 60% of the world’s spam traffic in the last quarter of 2017.
However, the use of weaponized IQY files is a rising trend in malspam campaigns, with Necurs being first spotted to distribute malware using this type of files on March 25.
IQY files are basically text documents that can contain a web location for importing data into Excel spreadsheets; they are common in enterprise networks, where employees use them for collaboration purposes. They are not a threat in themselves but the information retrieved from an external source can contain malicious code.
Microsoft Office does not allow automatic execution of code from an IQY and asks for user permission to do so. But a well-crafted email may trick the user into enabling data connections in IQY files.
Emails sent over a period of a month and a half
IBM X-Force caught the 780,000 emails that Necurs operators laced with weaponized IQY files between late May and mid-July.
As observed by the researchers, Necurs spam factory sent out on May 25 over 300,000 messages. The second campaign on June 7 delivered about 200,000 emails.
The numbers spiraled down in the next spam bursts, with over 150,000 emails distributed on June 13, and less than 100,000 on July 13. The last throb was recorded on July 17 and was the weakest one, distributing less than 50,000 messages.
Some of the emails purported to be unpaid invoices, a common pretext that lures the victim into accessing the URL inside the IQY file.
When the connection was approved, the embedded URL provided a remote access tool called FlawedAmmyy RAT, whose source code was leaked in March.
Cybercriminals are constantly looking to change their game by using file types that are typically overlooked as a potential threat.
“To ensure that their malicious emails reach recipients and do not end up blocked by email filters, cybercrime groups shuffle their tactics all the time, delivering booby-trapped files in many shapes throughout the year,” X-Force researchers note.