A former undocumented malware packer named DTPacker has been observed distributing several Remote Access Trojans (RATs) and information stealers such as Agent Tesla, Ave Maria, AsyncRAT and FormBook to plunder information and facilitate further attacks.
“The malware uses multiple obfuscation techniques to evade antivirus, sandboxing, and scanning,” says enterprise security firm Proofpoint. noted in an analysis published on Monday. “It’s probably distributed on underground forums.”
The .NET-based commodity malware has been associated with dozens of campaigns and multiple threat groups, both advanced persistent threats (APTs) and cybercrime actors, since 2020, with intrusions targeting hundreds customers in many sectors.
Attack chains involving the packager rely on phishing emails as the initial infection vector. The messages contain a malicious document or compressed executable attachment which, when opened, deploys the packer to launch the malware.
Packers differ from downloaders in that, unlike downloaders, they carry an obfuscated payload to hide their true behavior from security solutions in a way that acts as “armor to protect the binary” and makes reverse engineering more difficult .
What makes DTPacker different is that it works like both. Its name is derived from the fact that it used two Donald Trump-themed fixed keys – “Trump2020” and “Trump2026” – to decode the embedded or downloaded resource which ultimately extracts and executes the final payload.
It is currently unknown why the authors chose this specific reference to the former US President, as the malware is neither used to target politicians or political organizations, nor the keys seen by the targeted victims.
Proofpoint said it observed operators making subtle changes by switching to using football fan club websites as decoys to host the malware from March 2021, with the packer being employed by groups like TA2536 and TA2715 in their own campaigns a year before that.
“The use of DTPacker as both a packer and a downloader and its variation in delivering and obfuscating while maintaining two of these unique keys as part of its decoding is very unusual,” said the researchers, who expect the malware to be used by multiple threat actors for the foreseeable future. future.