新的Agent Tesla恶意软件变种在电子邮件攻击中利用ZPAQ压缩

A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers.

一种新的Agent Tesla恶意软件变种已被观察到通过带有ZPAQ压缩格式的诱饵文件传递，以从几个电子邮件客户端和将近40种网络浏览器中收集数据。

"ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis.

G Data恶意软件分析师Anna Lvova在周一的分析中表示:"ZPAQ是一种文件压缩格式，比常用的ZIP和RAR格式提供更好的压缩比和日志功能。

"That means that ZPAQ archives can be smaller, saving storage space and bandwidth when transferring files. However, ZPAQ has the biggest disadvantage: limited software support."

"这意味着ZPAQ存档可以更小，节省存储空间和传输文件时的带宽。但是，ZPAQ最大的缺点是受支持的软件有限。"

First appearing in 2014, Agent Tesla is a keylogger and remote access trojan (RAT) written in .NET that's offered to other threat actors as part of a malware-as-a-service (MaaS) model.

Agent Tesla首次出现于2014年，是一个用.NET编写的键盘记录器和远程访问特洛伊木马（RAT），作为恶意软件即服务（MaaS）模型的一部分提供给其他威胁行为者。

It's often used as a first-stage payload, providing remote access to a compromised system and utilized to download more sophisticated second-stage tools such as ransomware.

它通常用作第一阶段的有效载荷，为受损系统提供远程访问，并被用来下载更复杂的第二阶段工具，如勒索软件。

Agent Tesla is typically delivered via phishing emails, with recent campaigns leveraging a six-year-old memory corruption vulnerability in Microsoft Office's Equation Editor (CVE-2017-11882).

Agent Tesla通常通过钓鱼电子邮件交付，利用微软办公软件的Equation Editor的六年前的内存损坏漏洞（CVE-2017-11882）的最新攻击活动。

The latest attack chain begins with an email containing a ZPAQ file attachment that purports to be a PDF document, opening which extracts a bloated .NET executable that's mostly padded with zero bytes to artificially inflate the sample size to 1 GB in an effort to bypass traditional security measures.

最新的攻击链始于一封包含ZPAQ文件附件的电子邮件，声称是PDF文档，打开后会提取一个膨胀的.NET可执行文件，大部分由零字节填充，人为地将样本大小膨胀到1GB，以绕过传统的安全措施。

"The main function of the unarchived .NET executable is to download a file with .wav extension and decrypt it," Lvova explained. "Using commonly used file extensions disguises the traffic as normal, making it more difficult for network security solutions to detect and prevent malicious activity."

"未存档的.NET可执行文件的主要功能是下载一个带有.wav扩展名的文件并对其进行解密," Lvova解释说。"使用常用的文件扩展名伪装流量正常，使网络安全解决方案更难以检测和阻止恶意活动。"

The end goal of the attack is to infect the endpoint with Agent Teslathat's obfuscated with .NET Reactor, a legitimate code protection software. Command-and-control (C2) communications is accomplished via Telegram.

攻击的最终目标是通过Telegram实现命令和控制（C2）通信的使用.NET Reactor对Agent Tesla进行混淆，一个合法的代码保护软件。

The development is a sign that threat actors are experimenting with uncommon file formats for malware delivery, necessitating that users be on the lookout for suspicious emails and keep their systems up-to-date.

这一进展表明，威胁行为者正在尝试使用不常见的文件格式传递恶意软件，这需要用户警惕可疑的电子邮件，并保持其系统更新。

"The usage of the ZPAQ compression format raises more questions than answers," Lvova said. "The assumptions here are that either threat actors target a specific group of people who have technical knowledge or use less widely known archive tools, or they are testing other techniques to spread malware faster and bypass security software."

"使用ZPAQ压缩格式引起更多的疑问而非答案," Lvova说。"这里的假设是威胁行为者要么针对具有技术知识的特定人群，使用不太知名的归档工具，要么他们正在测试其他传播恶意软件更快并绕过安全软件的技术。"

原文始发于微信公众号（知机安全）：新的Agent Tesla恶意软件变种在电子邮件攻击中利用ZPAQ压缩