The Necurs botnet through 5 different campaigns distributed over 780.000 emails earlier to 2018, all of which contained malicious IQY (Internet Querys for Excel), a most popular way to distribute malware. This number is too small for a botnet responsible for the 60% of spam traffic that was the last 3 months of 2017.
What are IQY files?
Primarily, IQY files are text documents that contain an address from a site in order to enter information into the document. They are often used in corporate environments and in themselves are not a threat. However, we never know what kind of information it can "pull" from the internet, but whether it is safe or not.
By default, Microsoft does not allow IQY to run code automatically, and it always requests the user permission. But making a document look like a real one can confuse the user.
Some of the files that sent Necurs botnet were some allegedly unpaid accounts that contained within a link. When the user clicked the link, a rat (remote access tool) named FlawedAmmyy it started to run, and the user was infected. FlawedAmmyy's source code was released in March of 2018.
Cyber criminals are constantly trying to change their tactics using file types that people often trust and use. And with today's security, platforms such as Gmail's offer Google, this constant change in malware distribution is necessary in order not to be "blocked" by the spam filter of any email service.