New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks
22.11.23  Virus  The Hacker News

A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers.

"ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis.

"That means that ZPAQ archives can be smaller, saving storage space and bandwidth when transferring files. However, ZPAQ has the biggest disadvantage: limited software support."

First appearing in 2014, Agent Tesla is a keylogger and remote access trojan (RAT) written in .NET that's offered to other threat actors as part of a malware-as-a-service (MaaS) model.

It's often used as a first-stage payload, providing remote access to a compromised system and utilized to download more sophisticated second-stage tools such as ransomware.

Agent Tesla is typically delivered via phishing emails, with recent campaigns leveraging a six-year-old memory corruption vulnerability in Microsoft Office's Equation Editor (CVE-2017-11882).


The latest attack chain begins with an email containing a ZPAQ file attachment that purports to be a PDF document, opening which extracts a bloated .NET executable that's mostly padded with zero bytes to artificially inflate the sample size to 1 GB in an effort to bypass traditional security measures.

"The main function of the unarchived .NET executable is to download a file with .wav extension and decrypt it," Lvova explained. "Using commonly used file extensions disguises the traffic as normal, making it more difficult for network security solutions to detect and prevent malicious activity."

The end goal of the attack is to infect the endpoint with Agent Teslathat's obfuscated with .NET Reactor, a legitimate code protection software. Command-and-control (C2) communications is accomplished via Telegram.

The development is a sign that threat actors are experimenting with uncommon file formats for malware delivery, necessitating that users be on the lookout for suspicious emails and keep their systems up-to-date.

"The usage of the ZPAQ compression format raises more questions than answers," Lvova said. "The assumptions here are that either threat actors target a specific group of people who have technical knowledge or use less widely known archive tools, or they are testing other techniques to spread malware faster and bypass security software."