Apple Silicon M1 Malware
Originally emerging in 2014, Agent Tesla functions as a keylogger and remote access trojan, accessible through a malware-as-a-service model. Photo: AFP / NICOLAS ASFOURI

The cybersecurity landscape is witnessing the emergence of a novel variant of the notorious Agent Tesla malware.

This latest iteration has been detected employing a cunning tactic — an infiltration method that capitalises on the ZPAQ compression format to extract sensitive data from various email clients and nearly 40 web browsers.

G Data's malware analyst, Anna Lvova, shed light on the utilisation of ZPAQ, emphasising its advantages and shortcomings. While ZPAQ boasts superior compression ratios and a journaling function compared to conventional formats like ZIP and RAR, its Achilles' heel lies in limited software support.

Agent Tesla, initially surfacing in 2014, operates as a keylogger and remote access trojan (RAT) developed in .NET. This malware, offered within the malware-as-a-service (MaaS) framework, serves as an initial stage payload, granting remote entry to compromised systems and facilitating the download of more sophisticated tools, such as ransomware.

Traditionally disseminated through phishing emails, recent campaigns have exploited a long-standing memory corruption vulnerability in Microsoft Office's Equation Editor (CVE-2017-11882). However, the latest attack strategy deviates.

It commences with an email attachment posing as a PDF document in ZPAQ format. Upon opening, the file unpacks a bloated .NET executable, artificially inflated to 1 GB using zero bytes. This stratagem aims to bypass conventional security measures.

Lvova elucidated the process: the extracted .NET executable's primary function is to obtain and decrypt a file masquerading as a .wav extension. This ruse camouflages the traffic as innocuous, evading detection by network security solutions.

The ultimate objective of this assault is to implant Agent Tesla onto the endpoint, obfuscated with .NET Reactor, a legitimate code protection software. Communication between the compromised system and the command-and-control (C2) centre is established via the encrypted messaging platform, Telegram.

This development underscores threat actors' experimentation with unconventional file formats for malware dissemination, underscoring the imperative need for users to remain vigilant against suspicious emails and diligently update their systems.

Lvova expressed concerns about the implications of utilising the ZPAQ compression format, positing two potential motives: either targeting a specific cohort with technical expertise or exploring alternative techniques to expedite malware proliferation and outmanoeuvre security software.

In addition to the advancements in ZPAQ's compression capabilities and the challenges posed by its limited software support, it's important to note the practical difficulties users may encounter while working with this format.

While there are GUI unpackers such as PeaZip available to support ZPAQ, the primary method of extraction relies on a command-line tool. This aspect can significantly impede ease of use, particularly for individuals lacking technical expertise.

Moreover, in a recent cyber onslaught, the Welsh company Owens Group faced a devastating breach, resulting in the exposure of its sensitive data on Lockbit's clandestine domain on the 'dark web'.