Enterprise security firm Proofpoint reported that ,” The malware uses various encryption methods to avoid antivirus, sandboxing, and analysis,   “It’s most likely spread through underground forums. Agent Tesla, Ave Maria, AsyncRAT, and FormBook are among the remote access trojans (RATs) and information stealers distributed by the previously unknown malware packer DTPacker to steal information and allow  attacks.”

The key findings such as,

  • Proofpoint identified a malware packer which researchers have dubbed DTPacker. 
  • The payload decoding uses a fixed password containing former U.S. president Donald Trump’s name.  
  • For several weeks the downloader variant used Liverpool Football Club themed download locations. 
  • The malware is typically used to pack remote access trojans that can be used to steal information and load follow-on payloads such as ransomware.  

Since 2020, the.NET-based commodity malware has been linked to dozens of campaigns and multiple threat organisations, including advanced persistent threat (APT) and cybercrime actors, with incursions targeting hundreds of clients in a variety of industries.

Phishing emails are used as an initial infection vector in attack chains involving the packer. The mails contain a malicious document or a compressed executable attachment that, when opened, launches the malware packer.

DTPacker is unique in that it can perform both functions. It got its name from the fact that it decoded the embedded or downloaded resource that eventually extracts and executes the final payload using two Donald Trump-themed fixed keys — “trump2020” and “Trump2026.”

Proofpoint stated it observed the operators making modest adjustments in March 2021, when they switched to using soccer fan club websites as decoys to host the malware, a year after the packer was used by groups like TA2536 and TA2715 in their own attacks.

Finally the researchers concluded that ,” DTPacker’s use as a packer and downloader, as well as its variety in delivery and obfuscation while preserving two such unique keys as part of its decoding, is quite unusual, adding that they expect the malware to be used by different threat actors in the near future“.

Indicator  Of Compromise Description Associated Malware 
9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27 DTPacker SHA256 Agent Tesla 
hxxps://hastebin[.]com/raw/azipitojuj hxxps://hastebin[.]com/raw/urafehisiv Payload Download Location Agent Tesla 
285f4e79ae946ef179e45319caf11bf0c1cdaa376924b83bfbf82ed39361911b DTPacker SHA256 Ave Maria RAT 
512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40 DTPacker SHA256 Agent Tesla 
1312912d725d45bcd1b63922ec9a84abca7a8c9c669c13efbd03472c764be056 DTPacker SHA256 AsyncRAT 
ba0f9be7cf006404bcfab6b6adbad0cef7281c3792490903632a4010d8a74f42 DTPacker SHA256 Agent Tesla 
Payload Download Location Agent Tesla 
5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c DTPacker SHA256 Agent Tesla 
hxxp://193.239.147[.]103/base/264712C97B662289D6644F926525A252.html Payload Download Location Agent Tesla 
b53558a85b8bb10ce70cb0592a81e540683d459b9d8666b7927c105f1141a189 DTPacker SHA256 Snake Keylogger 
hxxp://osndjdjjjdjshgaggdkf[.]com/base/377A23697621555ED2123D80005200D7.html hxxp://osndjdjjjdjshgaggdkf[.]com/base/650D6251494D3B160CBC93685F2FA1E4.html hxxp://osndjdjjjdjshgaggdkf[.]com/base/2A812C716BD7EB40F36227E584D97524.html Payload Download Location Snake Keylogger 
9cc817f0205da4bde1d938e1817aa98fe4f4a5dcbcaffbe8b45041e24c105aa0 DTPacker SHA256 Agent Tesla 
hxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish–goal-1FE8F2E05D5035C0446552639B8336B8.htm hxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish–goal-EC7D4835EC6F56BD999A943FEDF8D489.html hxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish–goal-DE7C2CE9F7D38544A851414C40C46A3F.html Payload Download Location Agent Tesla 
281cdbf590c22cd684700dcde609d6be48ddf3e4d988d48e65d9c688ce76f7af DTPacker SHA256 Agent Tesla 
hxxp://mmwrlridbhmibnr[.]ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish–goal-40505C0917C3E190B486745F4941F177.html  DTPacker Download URL Agent Tesla 
a564eb282800ed662b1c55ae65fbba86b6feca00a2e15ebb36a61fc53ac47c3a DTPacker SHA256 Agent Tesla 
affea9c276ded88eea1e39ac39fb19373c4b62d4251fb1d06f37a05e35dfa463 DTPacker SHA256 FormBook 
893177342426509335/897124528768032848/9722D04C.jpg hxxps://cdn.discordapp[.]com/attachments/ 893177342426509335/897124531213336656/F526E587.jpg  
DTPacker Download URL FormBook 
4053206d66d627d145d9da8d8e208d08c85755036a5393ccc6e8afd6117df864 DTPacker SHA256 Agent Tesla 

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s