Security researchers are describing a novel .NET malware packer that is sending remote access trojans (RATs) alongside infostealers with a “Donald Trump” password. As such, the team at ProofPont who have been tracking the attack method since 2020 call the malware “DTPacker.”
According to the firm, DTPacker has been used by a number of attack groups and been used to target thousands of users globally. One of the most successful attempts was a weeks-long campaign using DTPacker inside a fake Liverpool Football Club (LFC) website.
As a card carrying Manchester United fan, the LFC website is always one to avoid, but in this instance everybody should be avoiding the fake site. Threat actors were using the fake LFC website could lure users to download DTPacker, placing the Agent Tesla malware on their system. Other malware types associated with DTPacker include AsyncRAT, Ave Maria, and FormBook.
“From March 2021, Proofpoint observed samples using websites for soccer clubs and their fans being used as download locations,” ProofPoint says. “These websites appear to have been decoys, with the actual payload locations embedded in the list.”
Researchers point out the malware is interesting because it is capable of deploying embedded payloads alongside a command-and-control-server. In other words, it can deliver a payload and downloader in a single attack.
“The main difference between a packer and a downloader is the location of the payload data, which is embedded in the former and downloaded in the latter,” the team adds. “DTPacker uses both forms, it is unusual for a piece of malware to be both a packer and a downloader.”
“Proofpoint observed multiple decoding methods and two Donald Trump-themed fixed keys, thus the name ‘DTPacker.’”
Tip of the day: When you boot Windows it delays the launch of startup programs for ten seconds so your desktop and Windows services will have finished loading. If you want to speed up boot time, have a look at our tutorial about how to disable startup delay.