New Variant of Paradise Ransomware Spreads Through IQY Files
Internet Query Files (IQY) were used to deliver a new variant of Paradise ransomware, as reported by Last Line. The said file type has not been associated with this ransomware family before.
In the past, IQY files were typically used in other malware campaigns such as the Necurs botnet that distributes IQY files to deliver FlawedAmmy RAT. Bebloh and Ursnif also spreads via IQY and PowerShell.
[Read: Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments]
IQY files are used by Microsoft Excel. The files have URLs and other components necessary for making queries on the internet. According to Last Line researchers, IQY may not be as well-known as other Microsoft Office file formats, but it can still be weaponized. The attack does not use any vulnerability in Microsoft Excel, so even fully patched systems are exposed to risk.
IQY can be used to download an Excel formula that could exploit system processes such as PowerShell and CMD. It can also evade detection, since it’s a legitimate Excel file type.
The ransomware is distributed through a spam campaign with IQY attachments. Once the attachment is opened, the file retrieves a malicious Excel formula from the threat actors’ command and control (C&C) server. The formula has a command that will run a PowerShell command, which downloads an executable.
The researchers observed that the activity, which targets an organization in Asia, lasted for less than two days.
Shielding systems against ransomware
Ransomware has always been a prevalent threat that seems to only grow through the years. As reported in the Trend Micro 2019 Annual Security Roundup, the detection of ransomware-related threats increased by over 6 million last year; from over 55 million in 2018 to over 61 million in 2019.
Ransomware’s success can be attributed to its constant evolution — threat actors continually develop ransomware features and leverage new file types to stealthily appear like non-malicious files and evade detection.
[Read: Ransomware: Past, Present, and Future]
Enterprises and users can follow a few best practices to defend against ransomware. Since ransomware is usually distributed through malicious emails, employees should avoid downloading attachments and clicking on embedded links from unverified sources. Users should also perform regular backups of important files to minimize disruption in case of an infection.
Trend Micro offers powerful protection across all layers. Through pre-execution machine learning and dynamic sandbox analysis, Trend Micro™ Email Security can keep ransomware at bay before it enters the system. Trend Micro™ Deep Discovery™ Inspector detects and blocks ransomware on the network, stopping it from spreading to endpoints and servers. Trend Micro™ Deep Security™ protects physical, virtual, and cloud servers. For endpoints, Trend Micro Apex One™ provides advanced automated threat detection and response to threats, including ransomware.
Indicators of Compromise
Hashes
SHA-256 | Trend Micro Pattern Detection |
8a358b38c45628209e6f12264ed646ab3075ecefd273090acdc8497360b5d3d1 | TrojanSpy.Win32.TRICKBOT.TIGOCGQ |
8c985fd851f06d726709024eacd51b67ea268c5fee822cfa1460f581e7e38636 | Trojan.Win32.MALIQY.AA |
c12b75f4b1bfcf41c45666f9a3801b735653c7ea61d14c3b700e60c035f55b32 | Ransom.Win32.PARADISE.F |
URL
Description | URL | Detection |
URL from IQY | hxxp://ocean-v[.]com/wp-content/1.txt | Malware Accomplice |
URL from PowerShell command | hxxp://ocean-v[.]com/wp-content/1.exe | Malware Accomplice |
URL from IQY |
hxxps://ugajin[.]net/wp-content/upgrade/upd.txt | Malware Accomplice |
URL from PowerShell command | hxxps://ugajin[.]net/wp-content/upgrade/key.exe | Malware Accomplice |
“Check in” URL | hxxps://iplogger[.]org/1AsWy7 | Malware Accomplice |
URL from Ransom Note | hxxp://prt-recovery[.]support/chat/25-decryptor | Malware Accomplice |
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.