Paradise Ransomware Uses IQY Attachments to Stay Hidden

Security researchers are warning of a new ransomware campaign using malicious IQY files to spread via phishing emails.

IQY, or Internet Query files, are simple text files read by Excel that work to download data from the web.

Researchers at Lastline observed them being weaponized in attacks designed to spread a new variant of Paradise ransomware.

“This campaign attempts to entice users into opening an IQY attachment, which reaches out and retrieves a malicious Excel formula from the attacker’s C2 server. This formula, in turn, contains a command to run a PowerShell command that will download and invoke an executable,” the vendor explained.

“Since these IQYs contain no payload (just a URL), they can be challenging for organizations to detect. Organizations may have to rely on a third-party URL reputation service if they do not have appliances in place to analyze and interrogate these URLs.”

Paradise itself is not new; the variant has been around since 2017. However, this version contains some enhancements designed to improve its ability to evade detection by security filters.

These include use of the Salsa20 crypto routine algorithm, which can be implemented into the malware source code so that there’s no need to call out to a crypto library.

This makes it more difficult for security tools to detect, as many AV tools rely on spotting API calls to detect ransomware. It also makes it harder for analysts to understand exactly what type of encryption is being used, said Lastline.

The researchers tried to get a response from the ransomware support team but received none, indicating the campaign is not fully operational. However, they did ascertain that the ransomware will not activate if the user’s language is Russian, Kazakh, Belarusian, Ukranian or Tatar, which may hint at its origins.

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

What’s Hot on Infosecurity Magazine?