A new variant of the Agent Tesla malware has been discovered [1] [2] [3] [4] [5] [6] [7], delivered through a lure file using the ZPAQ compression format [2] [3] [4] [5] [6] [7]. This variant is a keylogger and remote access trojan commonly used to provide remote access to compromised systems [7]. It specifically targets email clients and web browsers to harvest data.
Description
The latest attack chain involves an email attachment that appears to be a PDF document but actually contains a bloated NET executable [7]. When the attachment is opened, it extracts a large NET executable file that is mostly padded with zero bytes to bypass security measures [3]. The main function of the malware is to download and decrypt a wav file [5]. The ultimate goal of the attack is to infect the endpoint with Agent Tesla [3] [5] [7], which is obfuscated with NET Reactor [3] [5] [7], a legitimate code protection software [2] [5]. Command-and-control communications are conducted through Telegram [2] [3].
The use of the ZPAQ compression format in this variant raises questions about the intentions of the threat actors and suggests they may be experimenting with uncommon file formats for malware delivery [7]. This development emphasizes the importance of users exercising caution when dealing with suspicious emails and keeping their systems up-to-date to defend against this type of attack.
The malware is designed to collect data from various email clients and nearly 40 web browsers [4] [5] [6], making it a significant threat. The ZPAQ format offers better compression and journaling capabilities compared to popular formats like ZIP and RAR [1] [3] [4] [6]. However, it has limited software support [1] [2] [3] [6], which may indicate that the threat actors are targeting a specific group with technical knowledge or using less well-known archive tools to bypass security software [6].
Agent Tesla is distributed through a malware-as-a-service model [2], and recent campaigns exploit a memory corruption vulnerability in Microsoft Office’s Equation Editor [2]. This attack highlights the trend of using unconventional file formats for malware delivery [2].
Conclusion
This new variant of Agent Tesla malware poses a significant threat as it targets email clients and web browsers to harvest data. The use of the ZPAQ compression format suggests that threat actors may be experimenting with uncommon file formats for malware delivery [7]. Users should exercise caution when dealing with suspicious emails and keep their systems up-to-date to defend against this type of attack. The trend of using unconventional file formats for malware delivery is a concerning development that requires ongoing vigilance and mitigation efforts.
References
[1] https://cert.bournemouth.ac.uk/new-agent-tesla-variant-unusual-zpaq-archive-format-delivers-malware/
[2] https://www.varutra.com/ctp/threatpost/postDetails/Latest-Agent-Tesla-Malware-Iteration-Employing-ZPAQ-Compression-in-Email-Based-Assaults/SDNCaW95eEJPZzZBQ0VvbHVOZVovUT09
[3] https://www.redpacketsecurity.com/new-agent-tesla-malware-variant-using-zpaq-compression-in-email-attacks/
[4] https://cyber.vumetric.com/security-news/2023/11/21/new-agent-tesla-malware-variant-using-zpaq-compression-in-email-attacks/
[5] https://ciso2ciso.com/new-agent-tesla-malware-variant-using-zpaq-compression-in-email-attacks-sourcethehackernews-com/
[6] https://jn66dataanalytics.com/news/new-agent-tesla-malware-variant-using-zpaq-compression-in-email-attacks-the-hacker-news
[7] https://thehackernews.com/2023/11/new-agent-tesla-malware-variant-using.html