Unusual ‘Donald Trump’ Packer Malware Delivers RATs, Infostealers

3 months ago

The ‘DTPacker’ downloader utilized fake Liverpool Football Club sites arsenic lures for respective weeks, a study finds.

A caller .NET malware packer being utilized to present a assortment of distant entree trojans (RATs) and infostealers has a fixed password named aft Donald Trump, giving the caller find its name, “DTPacker.”

DTPacker was discovered by researchers astatine Proofpoint who, since 2020, person observed it being utilized by respective menace actors successful campaigns targeting hundreds of thousands of extremity users with thousands of malicious messages crossed galore sectors.

One notable campaign, which lasted for weeks, utilized fake Liverpool Football Club (LFC) sites to lure users to download DTPacker, yet delivering Agent Tesla, the researchers found. Ave Maria, AsyncRAT and FormBook person besides been dispersed by DTPacker, according to a Monday report.

Decoy, fake LFC page. Source: Proofpoint.

“From March 2021, Proofpoint observed samples utilizing websites for shot clubs and their fans being utilized arsenic download locations,” the study said. “These websites look to person been decoys, with the existent payload locations embedded successful the list.”

The ProofPoint squad that discovered DTPacker reported that the malware is notable due to the fact that it delivers some embedded payloads (the packer), arsenic good arsenic those fetched from a command-and-control server (a downloader). The 2nd signifier includes a fixed password for decoding, which successful each DTPacker instances, notation the erstwhile president.

DTPacker’s Dual-Payload Delivery

“The main quality betwixt a packer and a downloader is the determination of the payload data, which is embedded successful the erstwhile and downloaded successful the latter,” the analysts noted. “DTPacker uses some forms, it is antithetic for a portion of malware to beryllium some a packer and a downloader.”

“Proofpoint observed aggregate decoding methods and 2 Donald Trump-themed fixed keys, frankincense the sanction ‘DTPacker,'” according to the report. The earlier DTPacker mentation utilized “trump2020,” but opening past August, a mentation utilizing “Trump2026,” emerged, the steadfast added.

The researchers predicted that the DTPacker malware volition proceed to beryllium utilized by menace actors and traded astir underground forums.

“It is chartless wherefore the malware writer specifically referred to Donald Trump successful the malware’s fixed passwords, arsenic it is not utilized to specifically people politicians oregon governmental organizations and would not beryllium seen by the intended victims,” the analysts added. “Proofpoint assesses this malware volition proceed to beryllium utilized by aggregate menace actors.”