What Is It?
A posting on FireEye’s Threat Research blog described a recently observed rise in the usage of crypters written in Borland’s Delphi programming language. Crypters have been used for a number of years to not only compress, but to make malware samples more difficult to detect and reverse engineer.
Crypters used by malware authors are generally sold on dark web forums, purchased with cryptocurrency. Crypters such as these will be sold with a code generator which uses a unique stub. The stub is the component which decrypts and loads the actual malicious code. Malware authors then pass the final malicious payload to the code generator which then creates the crypted executable, similar in concept to zipping a file and creating a self-extracting zip file. Crypters are often sold with guarantees of being undetectable by anti-virus products and, increasingly, by sandboxes.
Delphi is a programming language, initially an evolution of Turbo Pascal, first released by Borland in 1995 for Windows 3.1. Delphi has been used to write numerous malware and continues to be used. Delphi is a so-called “high level” programming language, similar to the inimitable BASIC, in that it uses a syntax closer to a spoken language, rather than machine language. This fact means code development is quicker, easier and requires less skill and experience than other programming languages.
It also has the added benefit, which may seem counter-intuitive, that it can be more difficult to perform code-based reverse engineering on. This is due to the fact that each Delphi command or function requires a lot of assembly code, greatly increasing the volume of code needing to be studied or debugged.
The Delphi crypters described by FireEye researchers used various techniques to attempt to remain undetectable. First, the Windows API calls they included in the code are commonly used by applications with graphical user interfaces This makes a sample more likely to appear to be benign when executed in a sandbox or scanned by endpoint anti-virus and may slow down code-based analysis.
Next, in an effort to foil detection by sandbox environments, these crypters check for activities suggestive of being executed on a normal endpoint system. One version of the crypter waited until the currently active window changed three times before proceeding, otherwise it remained in a permanent sleep state. Other versions used more common techniques, such as waiting for mouse movement and measuring the length of time the system remained idle. If the system passes these checks, the malicious payload is extracted, decrypted and executed.
Researchers found that many of the samples using these Delphi packers were information stealing trojans such as LokiBot and Pony, Remote Access Trojans (RATs), as well as some CoinMiner variants.
How Does It Propagate?
The blog entry contains examples of two malicious spam campaigns containing malicious Excel files used as the attack vector for trojans using Delphi crypters. This is consistent with the most commonly seen vector for trojans.
When/How Did BluVector Detect It?
The blog entry contains six samples of recent malware which utilize Delphi-based crypters and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 45 months prior to their release.