A previously undocumented malware packer named DTPacker has been observed distributing multiple remote access trojans (RATs) and information stealers such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook to plunder information and facilitate follow-on attacks.
“The malware uses multiple obfuscation techniques to evade antivirus, sandboxing, and analysis,” enterprise security company Proofpoint said in an analysis published Monday. “It is likely distributed on underground forums.”
The .NET-based commodity malware has been associated with dozens of campaigns and multiple threat groups, both advanced persistent threat (APT) and cybercrime actors, since 2020, with the intrusions aimed at hundreds of customers across many sectors.
Attack chains involving the packer rely on phishing emails as an initial infection vector. The messages contain a malicious document or a compressed executable attachment, which, when opened, deploys the packer to launch the malware.
Packers differ from downloaders in that unlike the latter, they carry an obfuscated payload to hide their true behavior from security solutions in a manner that acts as an “armor to protect the binary” and make reverse engineering more difficult.
What makes DTPacker different is that it functions as both. Its name is derived from the fact that it used two Donald Trump-themed fixed keys — “trump2020” and “Trump2026” — to decode the embedded or downloaded resource that ultimately extracts and executes the final payload. Read more: https://bit.ly/3IBtZrW