New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks

Cyber Security Threat Summary:
A new variant of the Agent Tesla malware has been identified, employing a ZPAQ compression format lure file to extract data from multiple email clients and nearly 40 web browsers. ZPAQ, known for its superior compression ratio and journaling function, offers efficient file transfers but has limited software support. Agent Tesla, a keylogger and remote access trojan, is distributed via phishing emails, often exploiting vulnerabilities like the six-year-old CVE-2017-11882 in Microsoft Office's Equation Editor. In this latest attack, a ZPAQ-filed email attachment posing as a PDF contains a bloated .NET executable, aiming to bypass security measures. The executable downloads and decrypts a file with a .wav extension, ultimately infecting the endpoint with obfuscated Agent Tesla via Telegram for command-and-control communication.

Security Officer Comments:
Agent Tesla is a notorious keylogger and remote access trojan (RAT) that first emerged in 2014. It is written in .NET and operates on a malware-as-a-service (MaaS) model, meaning that cybercriminals can purchase or rent the malware to carry out various malicious activities. The MaaS model allows even less technically skilled attackers to use sophisticated malware for their purposes.