Unusual ‘Donald Trump’ Packer Malware Delivers RATs, Infostealers

A new .NET malware packer staying applied to supply a wide variety of distant obtain trojans (RATs) and infostealers has a fastened password named after Donald Trump, providing the new uncover its name, “DTPacker.”

DTPacker was found by scientists at Proofpoint who, considering that 2020, have noticed it getting utilized by a number of threat actors in strategies concentrating on hundreds of countless numbers of finish consumers with thousands of malicious messages throughout several sectors.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper take secure and enxrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized seller: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

1 noteworthy campaign, which lasted for weeks, made use of pretend Liverpool Football Club (LFC) web-sites to entice buyers to download DTPacker, eventually offering Agent Tesla, the scientists uncovered. Ave Maria, AsyncRAT and FormBook have also been spread by DTPacker, according to a Monday report.

“From March 2021, Proofpoint noticed samples applying internet sites for soccer golf equipment and their supporters staying made use of as download spots,” the report stated. “These websites appear to have been decoys, with the actual payload destinations embedded in the checklist.”

The ProofPoint group that uncovered DTPacker claimed that the malware is notable for the reason that it provides equally embedded payloads (the packer), as nicely as all those fetched from a command-and-handle server (a downloader). The second phase involves a set password for decoding, which in all DTPacker circumstances, reference the former president.

DTPacker’s Twin-Payload Shipping and delivery

“The most important difference in between a packer and a downloader is the area of the payload data, which is embedded in the previous and downloaded in the latter,” the analysts observed. “DTPacker uses equally types, it is uncommon for a piece of malware to be both of those a packer and a downloader.”

“Proofpoint observed numerous decoding approaches and two Donald Trump-themed preset keys, thus the identify ‘DTPacker,’” according to the report. The before DTPacker model utilized “trump2020,” but beginning very last August, a variation making use of “Trump2026,” emerged, the company additional.

The researchers predicted that the DTPacker malware will continue to be utilized by risk actors and traded all over underground community forums.

“It is not known why the malware writer precisely referred to Donald Trump in the malware’s fixed passwords, as it is not utilised to especially target politicians or political businesses and would not be observed by the supposed victims,” the analysts extra. “Proofpoint assesses this malware will go on to be used by a number of danger actors.”