Blog

Malicious email attachments are often used in malspam, phishing, and spear-phishing attacks as an initial access vector to breach a victim's computer and install second-stage malware. Very simply, a trojan file can execute attacker supplied code in a single click, giving a high rate of success for the attacker. The types of files used for this deception and payload they carry differ widely in form and function. Some common techniques use well known document types such as Office documents and PDFs, compressed file archives such as .ZIP and .RAR archives, as well as many variants of executable file types. 

According to a recent post from the SANS Internet Storm Center, a new campaign leveraging malspam email attachments with the .TXZ file extension is being used to deliver GuLoader and FormBook malware.  In this article, we will briefly review the threat alert from SANS, and the most commonly used file types used as deceptive trojans.

New Malspam Attacks Using .TXZ File Extension

Recently, a surge in malspam campaigns has been observed utilizing .TXZ file extensions as attachments. TXZ files are usually associated with Tar archives compressed using XZUtils. Coincidentally, XZUtils recently experienced its own scare when malicious code was found injected into the most recent version of its open-source library as part of a long-term social engineering campaign to compromise the XZUtils package. However, this recent analysis from SANS is unrelated to CVE-2024-3094, and ultimately unrelated to XZUtils since only the file .TXZ extension was used to obfuscate the payload. 

The SANS analysis revealed that the intercepted files having the .TXZ extension were actually RAR archives in disguise. Although the tactic to manipulate file extensions to evade detection is not a new one, exploiting the less familiar .TXZ format to bypass traditional security measures is the newest trick up attacker's sleeves. Jan Kopriva of SANS believes the choice of .TXZ files may be linked to the recent extension of Windows 11's native decompression capabilities meaning the files could be opened via Windows's standard file explorer.

Two distinct campaigns using .TXZ files were identified by security researchers in May. The first campaign used Spanish and Slovak languages to distribute a 464 kB portable executable (PE) file infected with GuLoader malware. The second campaign used Croatian and Czech language messages to disseminate a 4 kB batch file downloader for the FormBook (aka xLoader) malware.

The use of .TXZ files in phishing campaigns warrants taking proactive measures to prevent infections such as quarantining or blocking emails containing .TXZ attachments to mitigate potential risks, especially if such files are uncommon within their operational context. As always, user education and awareness programs are also fundamental to stopping malspam, phishing, and spear-phishing attacks from being successful.

What is the TZX File Extension Used For?

The .TZX file extension is associated with archives created using Tar and XZ utilities. These .TZX files serve as containers for one or more files that have been initially archived with Tar and then compressed using XZ compression. This format is known for its high compression ratio, making it suitable for efficiently storing and transferring large amounts of data. .TZX archives are commonly used in Unix-like operating systems for packaging software, backups, and distributing large datasets due to their efficient compression capabilities provided by the XZ utility. 

Decompressing .TZX files natively is not supported on standard Windows machines by default prior to Windows 11. Third-party applications like 7-Zip or WinRAR can be used to decompress TZX files on older Windows systems that lack native support.

Other File Extensions Commonly Used in Phishing Attacks

While the use of .TZX files in the recently observed campaigns were not part of English language phishing attacks, it's quite possible that the perpetrators could move onto target other demographics in the near future. Also, it's certainly worthwhile refreshing our employee and our own memory regarding the most commonly used file types used in social engineering attacks:

• Microsoft Office documents (.docx, .xlsx): Malicious Microsoft Word documents can contain malicious macros or embedded scripts that exploit vulnerabilities in the Microsoft applications themselves to execute malicious code, steal information, or install second stage malware or open spoofed web pages to socially engineer victims into providing their credentials.

• Shortcut files (.LNK): Shortcut files can execute malicious commands, launch malware stored elsewhere on the system, or open spoofed web pages for phishing attacks. For example CVE-2020-0729 is a vulnerability in Microsoft Windows that allows code execution via a malicious .LNK file.

• Icon (.ICO): .ICO files may be used to disguise executable files making them look like standard Office documents, when they are really custom malware payloads.  One click and the attacker's code is running on the victim's system.

• Compressed archives (.ZIP, .RAR): ZIP archives are frequently employed to compress and conceal malware-laden files in order to bypass firewalls or content filters. Once extracted, the archive files expose the contained executables, scripts, or documents designed to compromise the recipient's system. In other cases, vulnerabilities in the decompression application itself, such as the CVE-2023-38831 in WinRAR can give the attacker immediate code execution without needing the victim to execute the files inside the archive. 

• JavaScript (.js): JavaScript files can be attached or linked in phishing emails to exploit browser vulnerabilities or execute malicious actions on the victim's system. They can redirect users to malicious websites, steal credentials, or download and execute malware.

• HTML (.html): HTML files can contain malicious scripts or links that lead to phishing websites or initiate drive-by downloads. Phishing emails with HTML attachments may prompt users to click on embedded links or forms that steal sensitive information or install malware on their devices.

• PDF documents (.pdf): PDF files can be weaponized to contain embedded malicious links or scripts that exploit vulnerabilities in Adobe Reader or Acrobat to execute malware or redirect users to phishing websites.

• Executable Formats: Executable files are designed to directly execute system level commands. This makes them especially potent carriers of malware, often disguised as legitimate software in phishing emails, capable of installing trojans, ransomware, or other malicious programs. Some commonly leveraged executable file types include:

  • Batch scripts (.bat): Automate Windows system tasks, download and execute malware, modify settings, or delete files.

  • PowerShell scripts (.ps1): Automate administrative tasks, download malware, steal credentials, or perform other harmful actions.

  • Java archives (.jar): Packaged Java applications may deliver malicious Java applets or executables. 

  • Shell scripts (.sh): Automate Unix tasks, download and execute malware or unauthorized actions.

Conclusion

The emergence of malspam campaigns utilizing .TXZ file extensions underscores the ever evolving tactics used by hackers. Security analysts identified targeted campaigns deploying .TXZ attachments used to cloak .RAR archives in May, employing regional languages to distribute GuLoader and FormBook malware variants. While not yet pervasive, proactive measures such as quarantining or blocking .TXZ emails are prudent, especially for organizations that do not make use of this file type.

Understanding these tactics highlights the broader landscape of malicious attachments in malspam and phishing, where diverse file types like Office documents, JavaScript, and executable formats remain prevalent vectors for cyberattacks. Vigilance and robust security measures are crucial in safeguarding against evolving threats posed by malicious attachments.