How does Palo Alto firewalls protect against malicious IQY Files
0
Created On 04/08/19 03:11 AM - Last Modified 07/19/22 23:14 PM
Question
.iqy files are simple text files containing a URL which are opened by default by Excel. Once opened, Excel will retrieve whatever object is at the URL inside the file.
Let's take the below Malicious IQY File (Used by DarkHydrus Threat Actor Group) as an example, how would Palo Alto Firewall protect against it?
$ shasum -a 256 credential.iqy
cc1966eff7bed11c1faada0bb0ed0c8715404abd936cfa816cef61863a0c1dd6 credential.iqy
Environment
Answer
1) IQY Files are text files and Palo Alto does not forward it to Wildfire or create signatures based on IQY Files:
$ file credential.iqy
credential.iqy: ASCII text, with CRLF line terminators
2) Contents in the IQY File 'cc1966eff7bed11c1faada0bb0ed0c8715404abd936cfa816cef61863a0c1dd6'.
$ cat credential.iqy
hxxp://micrrosoft[.]net/releasenotes[.]txt
3) IQY Files reaches the End-Point, let's assume that the end-point protection has not detected it and user decided to open it. User gets the below warning by default as excel tries to reach out to the link:
4) Connection to hxxp://micrrosoft[.]net/releasenotes[.]txt get blocked by Palo Alto Firewalls as we categorizes this URL as 'Malware' category and is configured to block:
User Gets the below Warning:
Additional Information
We also have option in Objects>Security Profiles>File Blocking to detect IQY Files. Blocking IQY Files to be transferred over Applications like SMTP is a good strategy.
https://support.office.com/en-ie/article/block-or-unblock-external-content-in-office-documents-10204ae0-0621-411f-b0d6-575b0847a795
https://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/