Malicious e-mail attachments come in all shapes and sizes.
These container files, especially, can sometimes be quite unusual Which is where today's diary comes in.
While going over messages that were caught in my malspam traps over the course of May, I found multiple e-mails that carried files with TXZ extension as their attachments.
Since this extension is hardly the most common one, I needed quick help from Google to find that it was associated with Tar archives compressed with XZ utils.
It seems that even when it comes to malicious e-mail attachments, use of this extension is relatively unusual, since a quick check revealed that my malspam traps haven't caught any such files in in 2021, only one file in 2022, and none in 2023.
As it turned out both the 2022 file and the current files, that my malspam traps caught, were actually not TXZ files, but rather renamed RAR archives.
Although threat actors commonly modify extensions of malicious files they send out, I was a little mystified by the change in this case, given the aforementioned less-then-common use of TXZ files, and - presumably - their limited support by archiving utilities.
Further Google searching soon revealed the reason for it.
It turned out that TXZ files were among the filetypes for which Microsoft added native support to Windows 11 late last year.
Potential recipients of the malicious messages who used this operating system might therefore have been able to open the attachments simply using standard Windows file explorer, even if the extension and the file type were mismatched.
It is worth noting that that although multiple e-mails were caught in the traps, they all belonged to one of two campaigns.
Messages from the first campaign contained texts in Spanish and Slovak languages and were used to distribute a 464 kB PE file with GuLoader malware, which had 53/74 detections on Virus Total at the time of writing.
Messages from the second campaign contained texts in Croatian and Czech languages and were used to distribute a 4 kB batch file downloader for the FormBook malware, which - at the time of writing - had 31/62 detection rate on Virus Total.
ExeMD5: c7f827116e4b87862fc91d97fd1e01c7SHA-1: d28d1b95adbe8cfbedceaf980403dd5921292eafSHA-256: 3f060b4039fdb7286558f55295064ef44435d30ed83e3cd2884831e6b256f542.
This Cyber News was published on isc.sans.edu. Publication date: Mon, 27 May 2024 07:13:05 +0000