New Variant of Paradise Ransomware Spreads Through IQY Files

Internet Query Files (IQY) were used to deliver a new variant of Paradise ransomware, as reported by Last Line. The said file type has not been associated with this ransomware family before.

In the past, IQY files were typically used in other malware campaigns such as the Necurs botnet that distributes IQY files to deliver FlawedAmmy RAT. Bebloh and Ursnif also spreads via IQY and PowerShell.

[Read: Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments]

IQY files are used by Microsoft Excel. The files have URLs and other components necessary for making queries on the internet. According to Last Line researchers, IQY may not be as well-known as other Microsoft Office file formats, but it can still be weaponized.  The attack does not use any vulnerability in Microsoft Excel, so even fully patched systems are exposed to risk.

IQY can be used to download an Excel formula that could exploit system processes such as PowerShell and CMD. It can also evade detection, since it’s a legitimate Excel file type.

The ransomware is distributed through a spam campaign with IQY attachments. Once the attachment is opened, the file retrieves a malicious Excel formula from the threat actors’ command and control (C&C) server. The formula has a command that will run a PowerShell command, which downloads an executable.

The researchers observed that the activity, which targets an organization in Asia, lasted for less than two days.


Shielding systems against ransomware

Ransomware has always been a prevalent threat that seems to only grow through the years. As reported in the Trend Micro 2019 Annual Security Roundup, the detection of ransomware-related threats increased by over 6 million last year; from over 55 million in 2018 to over 61 million in 2019.

Ransomware’s success can be attributed to its constant evolution — threat actors continually develop ransomware features and leverage new file types to stealthily appear like non-malicious files and evade detection.

[Read: Ransomware: Past,  Present, and Future]

Enterprises and users can follow a few best practices to defend against ransomware. Since ransomware is usually distributed through malicious emails, employees should avoid downloading attachments and clicking on embedded links from unverified sources. Users should also perform regular backups of important files to minimize disruption in case of an infection.

Trend Micro offers powerful protection across all layers. Through pre-execution machine learning and dynamic sandbox analysis, Trend Micro™ Email Security can keep ransomware at bay before it enters the system. Trend Micro™ Deep Discovery™ Inspector detects and blocks ransomware on the network, stopping it from spreading to endpoints and servers. Trend Micro™ Deep Security™ protects physical, virtual, and cloud servers. For endpoints, Trend Micro Apex One™ provides advanced automated threat detection and response to threats, including ransomware.

Indicators of Compromise

Hashes

SHA-256 Trend Micro Pattern Detection
8a358b38c45628209e6f12264ed646ab3075ecefd273090acdc8497360b5d3d1 TrojanSpy.Win32.TRICKBOT.TIGOCGQ
8c985fd851f06d726709024eacd51b67ea268c5fee822cfa1460f581e7e38636 Trojan.Win32.MALIQY.AA
c12b75f4b1bfcf41c45666f9a3801b735653c7ea61d14c3b700e60c035f55b32 Ransom.Win32.PARADISE.F

URL

Description URL Detection
URL from IQY hxxp://ocean-v[.]com/wp-content/1.txt Malware Accomplice
URL from PowerShell command hxxp://ocean-v[.]com/wp-content/1.exe Malware Accomplice
URL from IQY
hxxps://ugajin[.]net/wp-content/upgrade/upd.txt Malware Accomplice
URL from PowerShell command hxxps://ugajin[.]net/wp-content/upgrade/key.exe Malware Accomplice
“Check in” URL hxxps://iplogger[.]org/1AsWy7 Malware Accomplice
URL from Ransom Note hxxp://prt-recovery[.]support/chat/25-decryptor Malware Accomplice
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.