Proofpoint researchers have observed a bundle of malware embedded in fake websites that mimic Liverpool’s sites.
According to US security firm Proofpoint, new malicious malware has been embedded in a fake website designed to look exactly like the real Liverpool Football Club website.
The malware package, dubbed DTPacker, is used to distribute Remote Access Trojans (RATs) that can be used to steal information and load tracking attacks such as ransomware.
Proofpoint researchers observed the malware bundle using fake sites that imitate the legitimate Liverpool Football Club website and fan-related websites. The security company said that by using sites that look like real Liverpool sites, network traffic can appear “harmless or non-malicious to someone seeing traffic to the site”, as a security team examining traffic logs.
Malware usually has two forms, a packer and a downloader, and the main difference between these is the location of payload data. A packer usually embeds payload data in something like an image file, while the latter involves downloading the payload.
But Proofpoint said DTPacker uses both forms. He added that the malware has multiple decoding methods and a password containing the name of former US President Donald Trump, which is why it was named DTPacker.
In many observed attacks, Proofpoint said an email containing a malicious document is the initial infection vector. The first stage of DTPacker decodes an embedded or downloaded resource, then the second stage extracts and executes the payload.
“Proofpoint has observed that DTPacker is used by both advanced persistent threat and cybercrime actors. The campaigns identified included thousands of messages and impacted hundreds of customers across multiple industries. »
DTPacker has been observed distributing several RATs and infostealers, including Agent Tesla, Ave Maria, AsyncRAT, and FormBook.
The malware has been effective in circumventing security measures, including antivirus software, due to its “multiple obfuscation techniques”, Proofpoint said, and is likely distributed in underground forums.
Proofpoint believes that DTPacker will continue to be used by several malicious actors. The company said it does not know why the malware author used Donald Trump in his fixed passwords “because it is not used to specifically target politicians or political organizations and would not be seen by the intended victims. “.
The start of 2022 has already seen a number of notable cyberattacks. On January 19, the Red Cross confirmed that it had been the victim of a “sophisticated” cyberattack which compromised the information of more than 515,000 “highly vulnerable people”.
Less than a week earlier, Ukraine had been hit by a massive cyberattack that took down more than a dozen government websites believed to be from Russia. Microsoft recently warned that the cyberattack could be bigger than initially feared.
Don’t miss out on the knowledge you need to succeed. Sign up for the brief dailySilicon Republic’s must-have science and technology news digest.