Malware descriptions

Induc, the innovative file infector

We recently added detection for a file infector to our databases, for something we call Virus.Win32.Induc.a. Since then, we’ve had a load of questions about it. It doesn’t currently have a malicious payload, and it doesn’t directly infect .exe files. Instead, it checks if Delphi is installed on the victim machine, looking for versions 4.0, 5.0, 6.0 and 7.0.

If the malware does find one of these Delphi versions, it copies SysConst.pas to Lib and writes its code to it. It then makes a backup of SysConst.dcu, calling it SysConst.bak (dcu files are kept in Lib). It then compiles LibSysConst.pas giving an infected version of SysConst.dcu. The modified .pas file gets deleted.

“uses windows;
var sc:array[1..24] of string=(‘uses windows; var sc:array[1..24] of string=(‘, ‘function x(s:string):string;var i:integer;begin for i:=1 to length(s) do if s[i]’,
‘=#36 then s[i]:=#39;result:=s;end;procedure re(s,d,e:string);var f1,f2:textfile;’, ‘h:cardinal;f:STARTUPINFO;p:PROCESS_INFORMATION;b:boolean;t1,t2,t3:FILETIME;begin’,
‘h:=CreateFile(pchar(d+$bak$),0,0,0,3,0,0);if hDWORD(-1) then begin CloseHandle’, “

The result – any Delphi program compiled on the computer gets infected. (We’ve already had a company contacting us to complain about something they thought was a false positive.) Maybe this particular virus isn’t that much of a threat: it’s not the first time we’ve seen this propagation method, the code itself is primitive, there’s no other payload, and there are far easier ways to infect machines. But in the past we’ve seen new infection routines get picked up, tweaked, and taken further. We’ll be keeping an eye on this one, just in case.

Induc, the innovative file infector

Your email address will not be published.

 

Reports

The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox