A new iteration of the Agent Tesla malware has surfaced, employing a novel approach by utilizing the ZPAQ compression format in its latest attack strategy. This method involves the delivery of the malware through a lure file, masked as a ZPAQ-compressed PDF document, aiming to harvest data from numerous email clients and nearly 40 web browsers.
G Data malware analyst Anna Lvova underscores the advantages of ZPAQ, such as a superior compression ratio and journaling function, but notes its drawback of limited software support. This innovative attack chain begins with an email attachment, extracting a bloated .NET executable upon opening, designed to bypass traditional security measures by inflating the sample size to 1 GB.
Agent Tesla, a keylogger and remote access trojan offered as part of a malware-as-a-service model, first emerged in 2014 and is commonly employed as a first-stage payload. Typically distributed through phishing emails, recent campaigns exploit a six-year-old memory corruption vulnerability in Microsoft Office’s Equation Editor.
Lvova explains that the primary function of the unarchived .NET executable is to download and decrypt a file with a .wav extension, utilizing common file extensions to disguise the traffic and complicate detection by network security solutions.
The ultimate goal of this sophisticated attack is to infect the endpoint with Agent Tesla, obfuscated with .NET Reactor, a legitimate code protection software, with command-and-control communications established via Telegram.
This development signifies a shift in the tactics of threat actors, as they experiment with unconventional file formats for malware delivery, emphasizing the need for heightened user awareness and system maintenance.
Lvova suggests that the use of the ZPAQ compression format raises questions about whether threat actors are targeting a specific group with technical knowledge or testing alternative techniques to spread malware efficiently while evading security software. The evolving landscape of cyber threats underscores the importance of users remaining vigilant and keeping their systems updated to thwart emerging and unconventional tactics.
