A Delphi packer is now looking for human behavior before deploying the payload

Hackers are continuously developing new ways to evade the sandbox environment; now they use the Delphi programming language to the pack malware code.
Many different hackers are using this cryptic service/tool for their operations.

Researchers recently discovered several spam campaigns that are using a specific packer written in Delphi. This packer is special because it looks for normal user behavior before deploying its payload.
For those who don’t know Delphi is a legitimate integrated development environment (IDE) for rapid application development of desktop, mobile, web and console software, developed by Embarcadero Technologies.
Now some hackers deliberately include the default Delphi libraries as a diversion to hamper static analysis and make the application look legit during dynamic analysis.

Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;

Cybersecurity researchers recently uncovered several malware samples that are using a unique Delphi-written packer which is focused on using APIs to separate analysis environments from real targets.

During a malware analysis one of the variants of the packer used GetForegroundWindow API to check for the user activity of changing windows at least three times before deploying the payload; a second variant of the packer checks for mouse cursor movement using GetCursorPos and Sleep APIs, while a third variant checks for system idle state using GetLastInputInfo and GetTickCount APIs.
If the malware does not see any changes it enters into an infinite sleep and doesn’t proceed to unpack its payload.

All of the variants have been seen in a recent spate of spam campaigns that are using different themes. The lures are nothing out of the ordinary: In one case, a banking transfer request email has an attached Word document with embedded malicious macros that execute the payload. In another, a request for quote email carries an exploit-laden document file as an attachment, which uses an equation editor vulnerability to drop the payload.

Interesting is that many of the payloads were variants of the LokiBot banking trojan/ransomware hybrid. These include the Pony stealer, IRStealer, Nanocore, Netwire, Remcos, and nJRAT spyware families, along with crypto mining code. All were using the same Delphi packer.

We will continue to monitor this cyber problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.