Researchers have uncovered a malware packer being used by multiple threat actors to distribute remote access trojans (RATs) used to steal information, and load follow-on payloads like ransomware.
Researchers with Proofpoint in a Monday analysis said that the .NET commodity packer, which they call DTPacker, has been associated with dozens of campaigns and multiple threat groups since 2020, and is likely distributed on underground forums. DTPacker uses multiple obfuscation techniques to avoid analysis, sandboxing and antivirus detection. However, what makes the malware unique is its ability to operate as both a packer and a downloader in order to distribute multiple RATs and information stealers, including Agent Tesla, AsyncRAT and FormBook.
“The main difference between a packer and a downloader is the location of the payload data which is embedded in the former and downloaded in the latter,” said researchers with Proofpoint. “DTPacker uses both forms. It is unusual for a piece of malware to be both a packer and downloader.”
The DTPacker campaigns typically starts with emails that contain an attachment, usually a malicious document (such as a Word document containing macros) or compressed executable (an exploit for Equation Editor, for instance) that ultimately downloads the DTPacker executable. Once downloaded, DTPacker then decodes data that is stored within the executable or downloaded in one or more HTTP requests.
As part of this initial first stage, researchers observed multiple decoding tactics, including a custom XOR routine used in earlier versions of DTPacker. This routine leveraged fixed passwords that referred to former president Donald Trump (“trump2020”), though researchers said it is unknown why the author made this reference as the malware is not used to specifically target politicians or political organizations, and the key would not be seen by the targeted victims anyhow.
“The custom XOR routine, in addition to XORing with the key, subtracts the next data value and is implemented in this Python script (on Github) decoder-xor-sub.py,” according to researchers.
"Having both packing and downloading functionality provides flexibility to the threat actors who are ostensibly customers of the developers of the malware."
Then, the malware decodes more data stored within the resulting DLL to extract and execute payloads, such as Agent Tesla, which is executed on the host. The malware has various other obfuscation tactics, including the use of a string obfuscation method using large character code offsets or decimal character codes with the digits substituted with other characters.
Researchers have noted several subtle changes to malware samples over time. Starting in March 2021, for instance, researchers found samples using what appeared to be decoy websites for soccer clubs, such as the Liverpool Football Club and fan-related websites, as download locations for embedded payloads. In August, malware samples were uncovered that no longer used the custom XOR routine, instead using straight XOR, and a new fixed key that said “Trump2026.”
Researchers have observed DTPacker being used by threat actors like TA2536 - a group discovered in 2017 that is known for delivering banking trojans to victims in Europe and Asia - and TA2715, a threat actor uncovered in 2016 that has previously spread malware payloads like Emotet, Ursnif and IcedID. Identified campaigns have included thousands of messages that have impacted hundreds of targets in multiple industries, they said.
Sherrod DeGrippo, vice president, Threat Research and Detection at Proofpoint, said that generally different types of payload delivery mechanisms are lightweight, so while it may be more time consuming for authors to implement additional functionality, it is not necessarily much more complicated. She noted that DTPacker’s dual capabilities as a packer and loader “speaks to the commoditization of the tool.”
“Having both packing and downloading functionality provides flexibility to the threat actors who are ostensibly customers of the developers of the malware,” said DeGrippo. “Downloading a payload from a hosted location allows the file to be modified on the server side. Using an embedded payload doesn't require reaching out to the internet which provides one less signal for detection attempts.”