A new .NET malware packer being used to deliver a variety of remote access trojans (RATs) and infostealers has a fixed password named after Donald Trump, giving the new find its name, “DTPacker.” DTPacker was discovered by researchers at Proofpoint who, since 2020, have observed it being used by several threat actors in campaigns targeting hundreds of thousands of end users with thousands of malicious messages across many sectors. One notable campaign, which lasted for weeks, used fake Liverpool Football Club (LFC) sites to lure users to download DTPacker, ultimately delivering Agent Tesla, the researchers found. Ave Maria, AsyncRAT and FormBook have also been spread by DTPacker, according to a report. “From March 2021, Proofpoint observed samples using websites for soccer clubs and their fans being used as download locations,” the report said. “These websites appear to have been decoys, with the actual payload locations embedded in the list.”
Threat actors will often disguise command-and-control (C2) communication to appear like connections to legitimate websites, such as the sites this packer uses that appear to be for soccer clubs and their fans. This communication is less likely to be identified as malicious traffic by SOC analysts but keeping up with current threat intelligence can help your organization defend against tactics like these.