Nov 21, 2023 NewsroomMalware Risk/ Data Privacy A brand-new version of the Agent Tesla malware has actually been observed delivered by means of
a lure file with the ZPAQ compression format to gather information from a number of e-mail clients and almost 40 web browsers.”ZPAQ is a file compression format that provides a much better compression ratio and journaling function
compared to commonly utilized formats like ZIP and RAR,”G Data malware expert Anna Lvova stated in a Monday analysis.”That implies that ZPAQ archives can be smaller, conserving storage space and bandwidth when transferring files. However, ZPAQ has the biggest downside: limited software assistance. ” Very first appearing in 2014, Agent Tesla is a keylogger and remote access trojan (RAT) composed in.NET that’s offered to other threat stars as part of a malware-as-a-service (MaaS) model.
It’s frequently used as a first-stage payload, providing remote access to a jeopardized system and made use of to download more sophisticated second-stage tools such as ransomware.
Agent Tesla is normally delivered via phishing e-mails, with recent projects leveraging a six-year-old memory corruption vulnerability in Microsoft Office’s Formula Editor (CVE-2017-11882).
The most recent attack chain starts with an email containing a ZPAQ file attachment that purports to be a PDF document, opening which extracts a bloated.NET executable that’s mostly padded with absolutely no bytes to artificially inflate the sample size to 1 GB in an effort to bypass standard security steps.
“The primary function of the unarchived.NET executable is to download a file with.wav extension and decrypt it,” Lvova discussed. “Using commonly utilized file extensions disguises the traffic as typical, making it harder for network security services to detect and prevent harmful activity.”
The end objective of the attack is to contaminate the endpoint with Representative Teslathat’s obfuscated with . Internet Reactor, a legitimate code security software. Command-and-control (C2) interactions is achieved by means of Telegram.
The development is an indication that danger stars are try out unusual file formats for malware delivery, demanding that users be on the lookout for suspicious e-mails and keep their systems up-to-date.
“The usage of the ZPAQ compression format raises more questions than answers,” Lvova said. “The presumptions here are that either risk actors target a particular group of individuals who have technical knowledge or utilize less widely known archive tools, or they are evaluating other techniques to spread malware faster and bypass security software.”
Found this post fascinating? Follow us on Twitter and LinkedIn to find out more special content we post.