New malware kicks off, embedded in fake Liverpool FC websites

25 Jan 2022

Image: © varflolomey/

Proofpoint researchers have observed a malware packet embedded into fake websites that mimic Liverpool sites.

A new malicious malware has been embedded into a fake website designed to look exactly like the genuine Liverpool Football Club site, according to US security company Proofpoint.

The malware packet, dubbed DTPacker, is being used to distribute remote access trojans (RATs) that can be used to steal information and load follow-on attacks such as ransomware.

Proofpoint researchers have observed the malware packet using fake sites that mimic the legitimate Liverpool Football Club website and fan-related websites. The security company said that by using sites that look like genuine Liverpool sites, the network traffic can look “benign or non-malicious to someone who sees the traffic to the site”, such as a security team reviewing traffic logs.

Malware typically has two forms, a packer and a downloader, and the main difference between these is the location of the payload data. A packer typically embeds payload data in something like an image file, while the latter involves downloading the payload.

But Proofpoint said that DTPacker uses both forms. It added that the malware has multiple decoding methods and a password containing the name of former US president Donald Trump, the reason it has been named DTPacker.

In many observed attacks, Proofpoint said an email with a malicious document is the initial infection vector. The first stage of DTPacker decodes an embedded or downloaded resource, then the second stage extracts and executes the payload.

“Proofpoint has observed DTPacker used by both advanced persistent threat and cybercrime threat actors. Identified campaigns included thousands of messages and impacted hundreds of customers in multiple industries.”

DTPacker has been observed distributing multiple RATs and information stealers including Agent Tesla, Ave Maria, AsyncRAT, and FormBook.

The malware has been effective in evading security measures including antivirus software due to its “multiple obfuscation techniques”, Proofpoint said, and is likely being distributed in underground forums.

Proofpoint believes DTPacker will continue to be used by multiple threat actors. The company said it’s unknown why the malware author used Donald Trump in its fixed passwords “as it is not used to specifically target politicians or political organisations and would not be seen by the intended victims”.

The start of 2022 has already seen a number of notable cyberattacks. On 19 January, the Red Cross confirmed it was hit by a “sophisticated” cyberattack that compromised the information of more than 515,000 “highly vulnerable people”.

Less than a week earlier, Ukraine was hit by a massive cyberattack that knocked out more than a dozen government websites, suspected to have originated from Russia. Microsoft recently warned the cyberattack could be bigger than initially feared.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic