A new variant of Agent Tesla uses the uncommon compression format ZPAQ to steal information from approximately 40 web browsers and various email clients. But what exactly is this file compression format? What advantage does it provide to threat actors? And why it is assumed that the version of Agent Tesla is “new”?
ZPAQ compression format and what it hides
On November 1, 2023, researcher Xavier Mertens reported a phishing attempt on one of his honeypots. What’s noteworthy is that a threat actor used the ZPAQ archive and .wav file extension to infect the system with Agent Tesla.
ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR. That means that ZPAQ archives can be smaller, saving storage space and bandwidth when transferring files. However, ZPAQ has the biggest disadvantage: limited software support. There are GUI unpackers that support this format, for example, Peazip, but ZPAQ can be extracted primarily with a command-line tool that does not make it easy to work with, especially for users without technical expertise.