Hackers Use DTPacker to Avoid Analysis and Detection

Hackers Use DTPacker to Avoid Analysis and Detection.

Short News:-

A previously undocumented malware packer named DTPacker has been observed distributing multiple remote access trojans and information stealers. Its name is derived from two Donald Trump-themed fixed keys used to decode the embedded or downloaded resource that ultimately extracts and executes the final payload.

Detailed News:-

It has been discovered a previously unknown malware packer known as DTPacker that distributes a variety of remote access Trojans (RATs) and information stealers like Agent Tesla and Ave Maria, as well as AsyncRAT and FormBook.

Proofpoint, an enterprise security company, said in an analysis published Monday that the malware uses multiple obfuscation techniques to evade antivirus, sandboxing, and analysis. "Underground forums are most likely where it's being distributed," says the expert.

Many campaigns and threat groups, including advanced persistent threats (APTs) and cybercriminals, have been linked to.NET-based commodity malware since 2020. The attacks have targeted hundreds of companies in a wide range of industries.

Phishing emails are the primary infection vector for attack chains involving the packer. When you open one of these messages, the packer that launches the malware is automatically launched, along with the malicious document or compressed executable attachment.

A packer differs from a downloader in that unlike the latter, they carry an obfuscated payload that acts as "armor to protect the binary" and make reverse engineering more difficult.

DTPacker, on the other hand, performs both tasks. Its name derives from the fact that it decoded the embedded or downloaded resource, which ultimately extracts and executes the final payload, using two Donald Trump-themed fixed keys, "trump2020" and "Trump2026."

Because the malware does not target politicians or political organizations, it's not clear why the authors chose to include a reference to the former President of the United States in the malware's name.

Evidence points to the packer being used by groups like TA2536 and TA2715 in their own campaigns before March 2021, when they switch to using soccer fan club websites as decoys to host malware.

According to researchers, "DTPacker's use as both a packer and a downloader and its variation in delivery and obfuscation while keeping two such unique keys as part of its decoding is very unusual." The researchers expect the malware to be used by multiple threat actors for the foreseeable future, and they believe that the malware will be used by a wide range of criminals.