Paradise Ransomware Variant Hides in Office IQY Files

The uncommon Internet Query file format lets attacks slip past defenses to effectively break into target networks.

Researchers have detected an attack campaign that leverages Internet Query files (IQY) to bypass enterprise defense systems and deliver a new variant of Paradise ransomware.

Paradise has been active since 2017; now, its operators are finding new ways to deliver the malware. IQY files are simple text files read by Microsoft Excel to download data from the Internet. It’s one of the lesser known weaponizable Microsoft Office file formats, Lastline researchers say. Most organizations won’t block or filter IQY because it’s a legitimate file type. Further, the files may not register as malware because there is no payload; just a URL.

The campaign is designed to trick users into opening an IQY attachment, which retrieves a malicious Excel formula from the attacker’s command-and-control server. This formula contains a command to run a PowerShell command, which downloads and deploys the ransomware. Lastline researchers were able to link the executable to the Paradise ransomware family.

Researchers don’t know which criminal group is responsible for this campaign; however, it is worth noting the ransomware checks to see if a machine’s language ID is Russian, Kazakh, Belarusian, Ukrainian, or Tatar. If one of these values is matched, the ransomware exits.

Read more details here.    

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

Read More HERE