Crooks turn to Delphi packers to evade malware detection

Cybercriminals are increasingly using legitimate programming tools and their default libraries to evade malware detection.

According to a blog post by FireEye, many crypting services are being offered in underground forums by hackers who claim to make any malware "FUD" or "Fully Undetectable" by anti-virus technologies, sandboxes and other endpoint solutions.

"We also see an increased effort to model normal user activity and baseline it as an effective countermeasure to fingerprint malware analysis environments," researchers said.

Researchers said that the Delphi programming language has been used by hackers to write applications and programs that leverage Windows API functions

"In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application "look legit" during dynamic analysis," said researchers.

One such campaign that used this techniques was observed by researchers that drop payloads packed using a Delphi packer. Researchers said that the packer goes to great lengths to ensure that it is not running in an analysis environment. Normal user activity involves many application windows being rotated or changed over a period of time.

"The first variant of the packer uses GetForegroundWindow API to check for the user activity of changing windows at least three times before it executes further. If it does not see the change of windows, it puts itself into an infinite sleep," said the researchers.

To confirm user activity, a second variant of the packer checks for mouse cursor movement using GetCursorPos and Sleep APIs, while a third variant checks for system idle state using GetLastInputInfo and GetTickCount APIs.

Researchers said that the original payload is split into multiple binary blobs and stored in various locations inside the resource directory. To locate and assemble the real payload bytes, the packer code first directly reads content from a hardcoded resource ID inside the resource section. 

According to researchers many of unpacked binaries that they were able to extract from the sample set were identified as belonging to the Lokibot malware family. Researchers also identified Pony, IRStealer, Nanocore, Netwire, Remcos, and nJRAT malware families, as well as a coin mining malware family, among others. 

"Packers and crypter services provide threat actors an easy and convenient option to outsource the workload of keeping their real payloads undetected and unclassified as long as possible. They are regularly finding nifty ways to bypass sandbox environments with anti-analysis techniques; hence, detonating malware samples in a sandbox environment that try to model real user behaviour is a safe bet," researchers said.

Fraser Kyne, EMEA CTO at Bromium, told SC Media UK that the industry needs to give up on the impossible task of always detecting everything

"Protection is the goal – and detection isn’t actually necessary for that. Detection has a role to play by filtering out some of the noise, but it needs to be augmented with robust protection using other models. By letting the malware come through in an isolated virtual environment, you can catch it in the act and only flag security alerts when there is a known threat, greatly reducing the number of false positives that are informing you of the breach after it’s too late," he said.

Ben McCarthy, senior content developer at Immersive Labs, told SC Media UK that security systems are just not looking for these types of attacks.

"The effectiveness of these types of attacks is that they not only use these more unknown services, it’s that they try to look like a legit running application, this is where Delphi becomes incredibly effective. Delphi is used for rapid development and with simple keywords can include libraries that many normal applications use, however this technique of including junk code is not a new concept. It has been a battle that security experts have been fighting for a long time," he said.