Threat actors are increasingly using a Delphi packer to shield their binaries from malware classification by antivirus software and other security solutions.
FireEye analyzed several samples carrying the “BobSoft Mini Delphi” signature and determined that the samples were consistent with Delphi code constructs. These findings revealed that the malware binaries had been packed using a Delphi packer.
The enterprise security firm observed the packed samples being dropped in various
spam campaigns. One operation used an attached document with malicious macros to download the malware. Another leveraged a document that exploited an equation editor vulnerability to deploy its packed payload.
In its analysis, FireEye came across at least eight malware families using the Delphi packer for their campaigns. Lokibot was by far the most prominent, followed by the Pony downloader and NanoCore. Researchers also spotted a cryptomining threat called CoinMiner using the packer.