Enterprise security firm Proofpoint reported that ,” The malware uses various encryption methods to avoid antivirus, sandboxing, and analysis, “It’s most likely spread through underground forums. Agent Tesla, Ave Maria, AsyncRAT, and FormBook are among the remote access trojans (RATs) and information stealers distributed by the previously unknown malware packer DTPacker to steal information and allow attacks.”
The key findings such as,
- Proofpoint identified a malware packer which researchers have dubbed DTPacker.
- The payload decoding uses a fixed password containing former U.S. president Donald Trump’s name.
- For several weeks the downloader variant used Liverpool Football Club themed download locations.
- The malware is typically used to pack remote access trojans that can be used to steal information and load follow-on payloads such as ransomware.
Since 2020, the.NET-based commodity malware has been linked to dozens of campaigns and multiple threat organisations, including advanced persistent threat (APT) and cybercrime actors, with incursions targeting hundreds of clients in a variety of industries.
Phishing emails are used as an initial infection vector in attack chains involving the packer. The mails contain a malicious document or a compressed executable attachment that, when opened, launches the malware packer.
DTPacker is unique in that it can perform both functions. It got its name from the fact that it decoded the embedded or downloaded resource that eventually extracts and executes the final payload using two Donald Trump-themed fixed keys — “trump2020” and “Trump2026.”
Proofpoint stated it observed the operators making modest adjustments in March 2021, when they switched to using soccer fan club websites as decoys to host the malware, a year after the packer was used by groups like TA2536 and TA2715 in their own attacks.
Finally the researchers concluded that ,” DTPacker’s use as a packer and downloader, as well as its variety in delivery and obfuscation while preserving two such unique keys as part of its decoding, is quite unusual, adding that they expect the malware to be used by different threat actors in the near future“.
| Indicator Of Compromise | Description | Associated Malware |
| 9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27 | DTPacker SHA256 | Agent Tesla |
| hxxps://hastebin[.]com/raw/azipitojuj hxxps://hastebin[.]com/raw/urafehisiv | Payload Download Location | Agent Tesla |
| 285f4e79ae946ef179e45319caf11bf0c1cdaa376924b83bfbf82ed39361911b | DTPacker SHA256 | Ave Maria RAT |
| 512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40 | DTPacker SHA256 | Agent Tesla |
| 1312912d725d45bcd1b63922ec9a84abca7a8c9c669c13efbd03472c764be056 | DTPacker SHA256 | AsyncRAT |
| ba0f9be7cf006404bcfab6b6adbad0cef7281c3792490903632a4010d8a74f42 | DTPacker SHA256 | Agent Tesla |
| hxxps://ahgwqrq[.]xyz/getrandombase64.php?get=E2E813E9694BE43CAD964C0453632F91 hxxps://ahgwqrq[.]xyz/getrandombase64.php?get=63DC49E5D8F5F50F8838551347009928 hxxps://ahgwqrq[.]xyz/getrandombase64.php?get=D13B96F0619AC39B44A32D3E0A260C89 hxxps://ahgwqrq[.]xyz/getrandombase64.php?get=85530E49BB23CD9DBD8461A2FC5D18A2 | Payload Download Location | Agent Tesla |
| 5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c | DTPacker SHA256 | Agent Tesla |
| hxxp://193.239.147[.]103/base/264712C97B662289D6644F926525A252.html | Payload Download Location | Agent Tesla |
| b53558a85b8bb10ce70cb0592a81e540683d459b9d8666b7927c105f1141a189 | DTPacker SHA256 | Snake Keylogger |
| hxxp://osndjdjjjdjshgaggdkf[.]com/base/377A23697621555ED2123D80005200D7.html hxxp://osndjdjjjdjshgaggdkf[.]com/base/650D6251494D3B160CBC93685F2FA1E4.html hxxp://osndjdjjjdjshgaggdkf[.]com/base/2A812C716BD7EB40F36227E584D97524.html | Payload Download Location | Snake Keylogger |
| 9cc817f0205da4bde1d938e1817aa98fe4f4a5dcbcaffbe8b45041e24c105aa0 | DTPacker SHA256 | Agent Tesla |
| hxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish–goal-1FE8F2E05D5035C0446552639B8336B8.htm hxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish–goal-EC7D4835EC6F56BD999A943FEDF8D489.html hxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish–goal-DE7C2CE9F7D38544A851414C40C46A3F.html | Payload Download Location | Agent Tesla |
| 281cdbf590c22cd684700dcde609d6be48ddf3e4d988d48e65d9c688ce76f7af | DTPacker SHA256 | Agent Tesla |
| hxxp://mmwrlridbhmibnr[.]ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish–goal-40505C0917C3E190B486745F4941F177.html | DTPacker Download URL | Agent Tesla |
| a564eb282800ed662b1c55ae65fbba86b6feca00a2e15ebb36a61fc53ac47c3a | DTPacker SHA256 | Agent Tesla |
| affea9c276ded88eea1e39ac39fb19373c4b62d4251fb1d06f37a05e35dfa463 | DTPacker SHA256 | FormBook |
| hxxps://cdn.discordapp[.]com/attachments/ 893177342426509335/897124528768032848/9722D04C.jpg hxxps://cdn.discordapp[.]com/attachments/ 893177342426509335/897124531213336656/F526E587.jpg | DTPacker Download URL | FormBook |
| 4053206d66d627d145d9da8d8e208d08c85755036a5393ccc6e8afd6117df864 | DTPacker SHA256 | Agent Tesla |
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 