Threat actors can easily infiltrate networks because attacks evade detection by typical security protections.
A new variant of the Paradise ransomware attacks rarely-targeted Microsoft Office Excel IQY files, providing a new and relatively inobtrusive way to infiltrate and hijack an organization’s network, researchers have found.
Lastline Labs’ James Haughom discovered the variant in December in a spam campaign executed over two days that targeted an organization in Asia, he wrote in a blog post about the campaign published Tuesday.
The variant attempts to lure users into opening an IQY attachment that retrieves a malicious Excel formula from an attacker’s C2 server, he said. “This formula, in turn, contains a command to run a PowerShell command that will download and invoke an executable,” Haughom said in the post.
Paradise ransomware has been active since 2017, though it’s not as well-known as other ransomware campaigns. However, it does have some unique characteristics that help it attempt to end-run security protection, making it an attractive option for threat actors, Haughom said.
“Public knowledge of the Paradise ransomware is not wide-spread,” he said in the post. “This ransomware does contain a few evasion techniques that prove to be interesting and effective, such as implementing its encryption algorithm manually/at the source level, to avoid API calls.”
The new Paradise variant also uses an evasive host, IQY files, to attack a network, Haughom observed. IQY, or Internet Query files, are simple text files that Excel reads to download data from the internet and aren’t often exploited by hackers, even though they can hide in plain sight on a victim’s network, he said.
“This file type can be leveraged to download an Excel formula (command) that could abuse a system process, such as PowerShell, cmd, mshta, or any other LoLBins (Living-off-the-Land Binaries),” Haughom explained. “As this is a legitimate Excel file type, many organizations will not block or filter it.”
Indeed, if an organization does not have a security appliance that analyzes attachments, weaponized IQY files—which do not have a typical payload–will not flag as malware, he said.
“These appliances would typically rely on the reputation of these URLs, with the more robust solutions having the ability to actually analyze the contents that the URL returns,” Haughom wrote in the post.
Once the executable of the new campaign is unleashed on a victim’s network, it unpacks using self-injection to copy itself to a new location in memory, transfer control flow to the copy of itself, and then replace the original executable in memory with the unpackaged ransomware, Haughom described in his post.
After establishing itself on the network, the function begins the ransomware process with an attempt to disable Windows Defender through setting the registry value for DisableAntiSpyware to 1, he wrote.
“The malware then attempts to kill any processes containing specific strings,” Haughom said. “Ransomware will typically force target applications to close to ensure that handles to files of interest are released. This allows the malware to then obtain handles to these important files during the encryption process.”
The variant’s encryption also shows unique properties particularly in the algorithm used, which leverages the stream cipher Salsa20 to encrypt the victim’s files, he said. This makes it more difficult for security administrators to respond to the attack, Haughom said.
“The benefit of using this algorithm is that malware authors can implement it into their source code rather than calling functions from a crypto library,” he wrote. “This makes detecting the encryption routine more difficult, and also makes determining the type of encryption being used a bit more challenging for malware analysts.”
Once files are encrypted, the Paradise variant automatically opens a ransomware note instructing the victim to visit an online chat to receive instructions on how to decrypt the files.
Many organizations probably won’t have the type of security appliances in place to detect an attack by the new campaign because IQY files contain only URLs, not payloads, Haughom said. This means if an organization falls victim to an attack, security administrators will likely have to rely on a third-party URL reputation service to aid in response efforts, he said.