Home > Cyber News > Unusual Malware: DTPacker Is Both Loader and Packer

Unusual Malware: DTPacker Is Both Loader and Packer

Security researchers discovered a new malware packer and loader. Dubbed DTPacker, the payload decoding uses a fixed password that contains former U.S. president Donald Trump’s name, according to Proofpoint. A notable element of the attacks associated with DTPacker is that threat actors used Liverpool Football Club-themed download locations. The malware seems to be utilized to pack remote access trojans (RATs) designed to steal information and load further payloads, including ransomware.

What Is DTPacker?

The malware has been described as a two-stage commodity .NET packer or downloader which also uses a second stage with a fixed password as part of the decoding. We should mention that there is a difference between a packer and a downloader – the location of the payload data embedded, embedded in a packer and downloaded in a downloader. Proofpoint discovered that DTPacker uses both forms, which makes it an unusual piece of malware.

What Types of Attacks Does DTPacker Carry Out?

DTPacker has been observed distributing multiple RATs and information stealers, such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook. Furthermore, the malware utilized multiple obfuscation techniques to bypass antivirus and sandbox protection and analysis. Researchers believe that it’s distributed on underground forums.

The piece is also associated with multiple campaigns and threat actors, such as TA2536 and TA2715, since 2020. DTPacker is most likely used by both advanced persistent threat and cybercrime threat actors. Analyzed campaigns include thousands of messages, and impacted hundreds of customers in multiple industries, Proodpoint’s report said.

In October 2021, another previously unseen malware loader was detected in the wild. What is unique about the Wslink loader is its capability to run as a server and execute received modules in memory. No code, functionality or operational similarities suggested that the loader has been coded by a known threat actor. The loader was used in attacks against Central Europe, North America, and the Middle East.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree