Posted on behalf of Bhaskar Krishnappa, Malware Analyst, Symantec Hosted Services
Animated heart shaped cards are common during the Valentine season to heal the restless hearts and it’s not a hidden fact that malware can exploit this holiday causing pail to both users and security vendors alikes. Here we have an interesting sample to look up whose evident startup code is Delphi compiled.
During sample analysis an interesting component found was “ScriptCryptor” which makes analysis more curious. A search based on the above keyword results in a tool which is quite handy for people aware of minimal scripting (Java or VBs) knowledge. Additionally, more authors can add their arbitrary resource icon and the version information to the executable file.
Despite the fact that the tool was designed to build legitimate applications, it is misused by malware authors to construct the executables under social engineering themes as shown below.
The main feature of this tool is the original script that is used to generate the Delphi executable. It is internally encrypted using a blowfish algorithm. Most of the AV scanners that scan this file think that the file is a non encrypted Delphi executable and trigger their signatures or generic heuristics written for the Delphi executable and declare the file as clean. This is a password stealer which then steals stored passwords from web-browsers. At the time of analysis only five scanners out of 41 were detecting this sample based their generic detection on virustotal.
Looking at the awareness created by AV blogs and other resources this Valentine's Day can be a heartbreaker for many malicious hearts as Symantec Hosted Services is staging interceptions to protect our customers.