The ‘DTPacker’ downloader used fake Liverpool Football Club sites as lures for several weeks, a report finds.
A new .NET malware packer being used to deliver a variety of remote access trojans (RATs) and infostealers has a fixed password named after Donald Trump, giving the new find its name, “DTPacker.”
DTPacker was discovered by researchers at Proofpoint who, since 2020, have observed it being used by several threat actors in campaigns targeting hundreds of thousands of end users with thousands of malicious messages across many sectors.
One notable campaign, which lasted for weeks, used fake Liverpool Football Club (LFC) sites to lure users to download DTPacker, ultimately delivering Agent Tesla, the researchers found. Ave Maria, AsyncRAT and FormBook have also been spread by DTPacker, according to a Monday report.
“From March 2021, Proofpoint observed samples using websites for soccer clubs and their fans being used as download locations,” the report said. “These websites appear to have been decoys, with the actual payload locations embedded in the list.”
The ProofPoint team that discovered DTPacker reported that the malware is notable because it delivers both embedded payloads (the packer), as well as those fetched from a command-and-control server (a downloader). The second stage includes a fixed password for decoding, which in all DTPacker instances, reference the former president.
DTPacker’s Dual-Payload Delivery
“The main difference between a packer and a downloader is the location of the payload data, which is embedded in the former and downloaded in the latter,” the analysts noted. “DTPacker uses both forms, it is unusual for a piece of malware to be both a packer and a downloader.”
“Proofpoint observed multiple decoding methods and two Donald Trump-themed fixed keys, thus the name ‘DTPacker,’” according to the report. The earlier DTPacker version used “trump2020,” but beginning last August, a version using “Trump2026,” emerged, the firm added.
The researchers predicted that the DTPacker malware will continue to be used by threat actors and traded around underground forums.
“It is unknown why the malware author specifically referred to Donald Trump in the malware’s fixed passwords, as it is not used to specifically target politicians or political organizations and would not be seen by the intended victims,” the analysts added. “Proofpoint assesses this malware will continue to be used by multiple threat actors.”