A new .NET malware packer being used to deliver a variety of RATs and infostealers has a fixed password named after Donald Trump, giving the new find its name, DTPacker. It also leverages the use fake Liverpool club site to lure victims.
This being used by several threat actors in campaigns targeting hundreds of thousands of end users with thousands of malicious messages across many sectors delivering Agent Tesla,Ave Maria, AsyncRAT and FormBook have also been spread by DTPacker. It’s been observed samples using websites for soccer clubs and their fans being used as download locations. These websites appear to have been decoys, with the actual payload locations embedded in the list.
It’s notable because it delivers both embedded payloads (the packer), as well as those fetched from a C&C server (a downloader). The second stage includes a fixed password for decoding, which in all DTPacker instances, reference the former president.
The main difference between a packer and a downloader is the location of the payload data, which is embedded in the former and downloaded in the latter. DTPacker uses both forms, it is unusual for a piece of malware to be both a packer and a downloader.
It is unknown why the malware author specifically referred to Donald Trump in the malware’s fixed passwords, as it is not used to specifically target politicians or political organizations and would not be seen by the intended victims.