A new variant of the Agent Tesla malware has been observed delivered via a entice file with the ZPAQ compression format to harvest data from various email clientele and approximately 40 web browsers.
“ZPAQ is a file compression structure that delivers a superior compression ratio and journaling purpose as opposed to extensively used formats like ZIP and RAR,” G Details malware analyst Anna Lvova explained in a Monday assessment.
“That signifies that ZPAQ archives can be scaled-down, saving storage area and bandwidth when transferring data files. Nevertheless, ZPAQ has the greatest drawback: constrained software guidance.”
1st showing up in 2014, Agent Tesla is a keylogger and distant accessibility trojan (RAT) created in .NET which is supplied to other danger actors as component of a malware-as-a-services (MaaS) model.
It is usually made use of as a initial-phase payload, offering distant entry to a compromised process and used to obtain far more refined second-stage instruments these types of as ransomware.
Agent Tesla is generally shipped through phishing e-mails, with modern strategies leveraging a six-calendar year-aged memory corruption vulnerability in Microsoft Office’s Equation Editor (CVE-2017-11882).
The hottest attack chain starts with an email that contains a ZPAQ file attachment that purports to be a PDF document, opening which extracts a bloated .NET executable that is primarily padded with zero bytes to artificially inflate the sample sizing to 1 GB in an work to bypass common security actions.
“The primary functionality of the unarchived .NET executable is to obtain a file with .wav extension and decrypt it,” Lvova defined. “Making use of frequently used file extensions disguises the visitors as ordinary, generating it a lot more challenging for network security methods to detect and prevent destructive activity.”
The conclusion objective of the attack is to infect the endpoint with Agent Teslathat’s obfuscated with .NET Reactor, a reputable code safety software program. Command-and-management (C2) communications is achieved via Telegram.
The progress is a indication that threat actors are experimenting with uncommon file formats for malware shipping, necessitating that consumers be on the lookout for suspicious e-mail and maintain their devices up-to-date.
“The utilization of the ZPAQ compression format raises additional issues than solutions,” Lvova reported. “The assumptions here are that both menace actors goal a distinct team of people who have specialized understanding or use less extensively recognized archive equipment, or they are tests other strategies to spread malware more quickly and bypass security software package.”
Discovered this posting intriguing? Observe us on Twitter and LinkedIn to read through extra distinctive content we submit.
Some parts of this article are sourced from:
thehackernews.com