New Agent Tesla Malware Variant Uses ZPAQ Compression in Email Attacks

Nov 21, 2023NewsroomMalware Tight / Data Privacy

ZPAQ Compression

A new variant of Agent Tesla The malware was observed to be delivered via a lure file with ZPAQ compression format to harvest data from many email clients and nearly 40 web browsers.

“ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats such as ZIP and RAR,” G Data malware analyst Anna Lvova SAYS in an analysis on Monday.

“That means ZPAQ archives can be smaller, saving storage space and bandwidth when transferring files. However, ZPAQ has its biggest drawback: limited software support.”


First appearing in 2014, Agent Tesla is a keylogger and remote access trojan (RAT) written in .NET offered to other threat actors as part of the malware-as-a-service (MaaS) model.

It is often used as a first-stage payload, which provides remote access to a compromised system and is used to download more sophisticated second-stage tools such as ransomware.

Agent Tesla is typically delivered via phishing emails, with recent campaigns exploiting a six-year-old memory corruption vulnerability in Microsoft Office’s Equation Editor (CVE-2017-11882).

Agent Tesla Malware

The latest attack chain begins with an email containing a ZPAQ file attachment masquerading as a PDF document, which opens to extract a bloated .NET executable that is typically packed with zero bytes to artificially increase the sample size to 1 GB in an effort to avoid the traditional. security measures.

“The main function of the unarchived .NET executable is to download a file with a .wav extension and decrypt it,” Lvova explained. “Using commonly used file extensions disguises traffic as normal, making it difficult for network security solutions to detect and prevent malicious activity.”


The ultimate goal of the attack is to infect the endpoint with Agent Tesla being hidden .NET Reactor, a legitimate code protection software. Command-and-control (C2) communications are done through Telegram.

The development is a sign that threat actors are experimenting with unusual file formats for delivering malware, so users should be on the lookout for suspicious emails and keep their systems up to date. -o.

“Using the ZPAQ compression format raises more questions than answers,” Lvova said. “The assumptions here are that the threat actors are targeting a specific group of people with technical knowledge or using less known archive tools, or they are trying other methods to facilitate the spread of malware and bypass security software.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment