As bad actors continue to innovate in the area of sandbox evasion, the use of the Delphi programming language to pack malware code has become more and more prevalent. Researchers recently observed several spam campaigns using a specific packer written in Delphi that goes to great lengths to hunt for normal user behavior before deploying its payload.
Delphi is a legitimate integrated development environment (IDE) for rapid application development of desktop, mobile, web and console software, developed by Embarcadero Technologies. FireEye researchers have observed bad actors using it to more easily write malware that leverages Windows API functions to create anti-sandbox features.
“In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application look legit during dynamic analysis,” they said, in a Thursday posting on the trend.
FireEye recently uncovered several malware samples in circulation using a unique Delphi-written packer that’s focused on using APIs to separate analysis environments from real targets.
“We…see an increased effort to model normal user activity and baseline it as an effective countermeasure to fingerprint malware analysis environments,” the team noted. They added that it looks for straightforward behavior: For instance, normal user activity typically involves application windows being changed, and mouse movements.
“Thus, the first variant of the packer uses GetForegroundWindow API to check for the user activity of changing windows at least three times before it executes further,” the researchers explained. “To confirm user activity, a second variant of the packer checks for mouse cursor movement using GetCursorPos and Sleep APIs, while a third variant checks for system idle state using GetLastInputInfo and GetTickCount APIs.”
If the malware does not see the change of windows or other normal activity, it puts itself into an infinite sleep. If it does, it proceeds to unpack its payload.
“The use of Delphi based packers is accelerating,” Muhammad Irshad, senior research scientist at FireEye, told Threatpost. “The Delphi programming language can be an easy way to write applications and programs that leverage Windows API functions. In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application ‘look legit’ during dynamic analysis.”
Unpacking
Digging deeper, the analysts also found that in the samples observed, the payload is split into multiple parts that are scattered around the resource directory.
“To locate and assemble the real payload bytes, the packer code first directly reads content from a hardcoded resource ID inside the resource section,” the researchers explained. “The first 16 bytes of this form a XOR key used to decrypt rest of the bytes using rolling XOR. The decrypted bytes actually represent an internal data structure, used by the packer to reference encrypted and obfuscated buffers at various resource IDs.”
The Delphi packer then reads values from the encrypted buffers and puts the payload back together again.
“Once the final data buffer is prepared, it starts decrypting it using the same rolling XOR algorithm mentioned previously and the new key from the aforementioned structure, producing the core payload executable,” researchers said. “This script can be used to extract the real payload statically.”
A recent spate of spam campaigns with different themes are using this packer to drop their payloads, FireEye researchers noted. The lures are nothing out of the ordinary: In one case, a banking transfer request email has an attached Word document with embedded malicious macros that execute the payload. In another, a “request for quote” email carries an exploit-laden document file as an attachment, which uses an equation editor vulnerability to drop the payload.
What’s interesting is that while many of the payloads were variants of the LokiBot banking trojan/ransomware hybrid, a raft of other malware were seen too. These include the Pony stealer, IRStealer, Nanocore, Netwire, Remcos and nJRAT spyware families, along with cryptomining code. All were using the same Delphi packer.
“We found that this packer was used by many of the famous malware families,” Irshad told us. “Interestingly, one variant of the packer was using the user-activity checks based on GetForeGroundWindow API that can detect the some of the publicly available sandboxes and skip the execution of main payload.” He added, “There continues to be a vibrant market for crypters in the underground and we routinely observer cybercriminals using them in an attempt to reduce the efficacy of traditional antivirus detection.”
The diversity of malware families using Delphi implies a broad platform distribution supply chain at work.
“Many threat actors are using this crypting service/tool for their operations, possibly buying it from the developer itself,” researchers noted. “Packers and crypter services provide threat actors an easy and convenient option to outsource the workload of keeping their real payloads undetected and unclassified as long as possible.”
