DTPacker Malware

   THREAT HUNTER (GUARD YOUR DEVICE)

Threat News #0001

January 25, 2022



Name Threat : DTPacker Malware

Affected System : Compromised Device with Malware

Attack Vector         : Phishing with Email

Threat Detail


A new malware packer and loader have been identified by security experts. According to researchers, the payload decoding tool, dubbed DTPacker, employs a predefined password that includes former US President Donald Trump's name. The usage of Liverpool Football Club-themed download places was a noteworthy feature of the DTPacker-related attacks. The malware appears to be used to distribute remote access trojans (RATs) that steal information and load other payloads, such as ransomware. The malware is described as a two-stage commodity.NET packer or downloader that also uses a second stage for decoding with a fixed password. The position of the payload data embedded, embedded in a packer, and downloaded in a downloader, is the distinction between a packer and a downloader. DTPacker employs both forms, according to researchers, making it a unique piece of malware.

Agent Tesla, Ave Maria, AsyncRAT, and FormBook are among the RATs and information stealers distributed by DTPacker. Furthermore, the malware used a variety of obfuscation techniques to avoid detection and analysis by antivirus and sandbox software. It's believed to be transmitted through underground forums, according to researchers.

Since 2020, the item has been linked to a number of campaigns and threat actors, including TA2536 and TA2715. Both advanced persistent threat and cybercrime threat actors are likely to use DTPacker. Thousands of messages were analyzed, and hundreds of clients from various industries were impacted. Another malware loader that has never been seen before has been discovered in the wild. The Wslink loader is unique in that it may run as a server and execute received modules in memory. There was no evidence that the loader was coded by a recognized threat actor based on code, functionality, or operational similarities. Attacks on Central Europe, North America, and the Middle East were carried out with the loader.

Suggestion

  • Install an antivirus, and keep it up-to-date and running.
  • Install a multilayered protection system to detect, prevent, and resolve malware infections and attacks.
  • Keep all operating systems and software up-to-date with the latest patches from legitimate vendors.

Imprint

  • Allowing the attackers to spread variant malware such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook.
  • Credentials and sensitive data compromised.
  • Allow remote access trojans that can be used to steal information and load follow-on payloads such as ransomware.

Indicator of Compromised (IOC)ip

IP:
103.147.185[.]68

Domain:
hahahahhasd@j[.]mp/kdwocqwqwqerheurfje download1507[.]mediafire[.]com/af0tbthsvewg/od8k8i5brx9cpof/19[.]doc 8db3b91a-ea93-419b-b51b-0a69902759c5[.]usrfiles[.]com kukadunikkk@kdaoskdokaodkwldld[.]blogspot[.]com/p/19[.]html www[.]starinxxxgkular[.]duckdns[.]org/s1/19[.]txt raw[.]githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo[.]exe www[.]mediafire[.]com/file/qh5j3uy8qo8cpu7/FINAL+MAIN+vbs+-+Copy[.]vbs/file


HashFile :
SHA 256
be453dcadd408fae5227f8b58f539f3f68aad081c9bf4f2c3dc0ff35c601ef5e
eff2feb50bebb797db7d881a44c549234315a84c861d2bb675899f7165db3ce7
4674f942f3b1841744d81c6bb740879540a6514f57c54ecc443a2ea250a0c459
7a0da7d7bc7e60548bbac036b675c2a8df0869d37bdaf337d16dc93d5bd39da3
37bbddb8e25859349f18c619f863f151660d1ed688c05e0f4a06da942fa154ec
271028308b8a45535b865b0818f39c098e78506a36de57ffee0087c810a65cdb
38207b0af1ad9d0ce047ae8d3b3535921106609c1b4d640a83d1592bb06cf1e2
8915469cb570b038f78d1fcf97d4f132df89e08086a07231cd43da3c443a8016

References:



© SAS Threat Hunter 

Direct to sasmoza.enterprise Sdn. Bhd for Subscribing News

Comments

Post a Comment

Popular Posts