A brand new variant of the Agent Tesla malware has been noticed delivered by way of a lure file with the ZPAQ compression format to reap knowledge from a number of electronic mail shoppers and almost 40 internet browsers.
“ZPAQ is a file compression format that provides a greater compression ratio and journaling operate in comparison with extensively used codecs like ZIP and RAR,” G Knowledge malware analyst Anna Lvova mentioned in a Monday evaluation.
“That signifies that ZPAQ archives will be smaller, saving cupboard space and bandwidth when transferring recordsdata. Nevertheless, ZPAQ has the largest drawback: restricted software program help.”
First showing in 2014, Agent Tesla is a keylogger and distant entry trojan (RAT) written in .NET that is supplied to different menace actors as a part of a malware-as-a-service (MaaS) mannequin.
It is typically used as a first-stage payload, offering distant entry to a compromised system and utilized to obtain extra refined second-stage instruments comparable to ransomware.
Agent Tesla is often delivered by way of phishing emails, with latest campaigns leveraging a six-year-old reminiscence corruption vulnerability in Microsoft Workplace’s Equation Editor (CVE-2017-11882).
The newest assault chain begins with an electronic mail containing a ZPAQ file attachment that purports to be a PDF doc, opening which extracts a bloated .NET executable that is principally padded with zero bytes to artificially inflate the pattern measurement to 1 GB in an effort to bypass conventional safety measures.
“The primary operate of the unarchived .NET executable is to obtain a file with .wav extension and decrypt it,” Lvova defined. “Utilizing generally used file extensions disguises the site visitors as regular, making it tougher for community safety options to detect and stop malicious exercise.”
The top aim of the assault is to contaminate the endpoint with Agent Teslathat’s obfuscated with .NET Reactor, a respectable code safety software program. Command-and-control (C2) communications is completed by way of Telegram.
The event is an indication that menace actors are experimenting with unusual file codecs for malware supply, necessitating that customers be looking out for suspicious emails and maintain their methods up-to-date.
“The utilization of the ZPAQ compression format raises extra questions than solutions,” Lvova mentioned. “The assumptions listed below are that both menace actors goal a selected group of people that have technical information or use much less extensively recognized archive instruments, or they’re testing different strategies to unfold malware quicker and bypass safety software program.”