[MART] - Daily Diary #438 - New Malware Packer DTPacker Discovered in the Wild

CTAS-MAT ctas-mat at appgate.com
Tue Jan 25 19:45:19 UTC 2022 

Hello,
I hope everyone is doing well!

Below is the entry for today.

25/01/2021 - Diary entry #437

In several of our previous Daily Diaries, we covered malware families using packers. Packers are tools used in binaries to compress/encrypt the binary code, possibly making the file smaller. In malware, packers are used to make binary analysis harder, keeping the malicious code encrypted in the file. When the binary starts, a small function loads the uncompressed/decrypted code in memory and executes like a regular binary. This week a previously undocumented malware packer was disclosed.

This new packer is written in .NET. When executed, the packer drops or downloads an encoded DLL, which is decrypted by the custom function and then executed in memory. The custom decrypted function uses a XOR based algorithm, with the string "trump2020" being used as the key (newer samples used the key "trump2026"). The packer was named "DTPacker" due to those references to Donald Trump.

DTPacker was found being used by several malware families, like Agent Tesla, Ave Maria RAT, AsyncRAT, Snake Keylogger and FormBook. This incident is a good example of how the cybercrime combines different malware from different sources when launching an attack.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220125/ada76ab6/attachment.htm>

More information about the MART mailing list