A recent iteration of the Agent Tesla malware has been detected, employing a ZPAQ-compressed lure file to extract data from various email platforms and nearly 40 web browsers.
G Data’s malware analyst Anna Lvova highlighted ZPAQ’s advantages, stating, “ZPAQ offers superior compression and journaling compared to ZIP and RAR, resulting in smaller archives, saving storage and bandwidth. However, its major drawback lies in limited software support.”
Agent Tesla, an .NET-based keylogger and remote access trojan (RAT), emerged in 2014 as part of a malware-as-a-service model. It functions as an initial payload, granting remote access and facilitating the download of more sophisticated tools like ransomware.
Usually distributed via phishing emails, recent campaigns exploit a six-year-old memory vulnerability in Microsoft Office (CVE-2017-11882). The latest attack starts with an email carrying a ZPAQ file posing as a PDF. Upon opening, it extracts a bloated .NET executable, artificially inflating the sample size to 1 GB to bypass security measures.
Lvova explained, “The unarchived .NET executable’s primary function is to download and decrypt a .wav file, camouflaging the traffic as normal to evade detection by network security solutions.” Ultimately, the goal is to infect the endpoint with obfuscated Agent Tesla using .NET Reactor, communicating via Telegram for command-and-control (C2).
This shift to ZPAQ signifies threat actors experimenting with uncommon file formats for malware delivery. Lvova emphasized the need for vigilance against suspicious emails and maintaining up-to-date systems.
“The use of ZPAQ raises intriguing questions,” Lvova stated. “It suggests targeting specific groups with technical knowledge or testing new techniques to evade security software.”
Source – https://thehackernews.com/
