Once the two encrypted strings are decrypted (via XOR), it becomes clear that the function manipulates the Windows Defender exclusion list by adding the location of this program to it. Due to the nature of the executable being used in the sideloading, the malware is less lightly to be flagged as malicious by antivirus software. Since both PRELUDE and DELPHYS share the same directory, this setting protects both malwares. Hence the name PRELUDE, taken from Sergei Rachmaninoff’s “Prelude in C Sharp Minor” because the malware is written in C# and is the first executed in order to prep the system for later stages.
StartTestMethod()
This function creates a thread to run the function “TestMethod24.”

Figure 11 – TestMethod24() source code
TestMethod24() opens a Transmission Control Protocol (TCP) socket to a domain on port 443. It then launches cmd.exe and redirects StandardOutput, StandardError and StandardInput between the TCP object and cmd.exe process object. As such, this a classic TCP reverse shell, which was validated from packet capture in a simulated network environment.

Figure 12 – Data from packet capture showing remote shell traffic
StartScreenMethod()
This function creates a thread to run the function “ScreenMethod,” which in turn calls a method Watch.SaveScreenshot.

Figure 13 – StartScreenMethod() source code

Figure 14 – SaveScreenshot() source code
The function Watch.SaveScreenshot performs a screen capture of the Windows desktop and encodes the result as a string inside a dictionary object, which it passes to the SendErrorLog function alongside a variable containing a hardcoded URL resource.

Figure 15 – SendErrorLog() source code
Finally, the SendErrorLog function takes the screenshot, wraps it in a POST request and sends it to the C2 server over an HTTP. In short, StartScreenMethod() captures screenshots and sends them to the C2 server. This functionality was also validated via extracting an image payload from the package capture during a simulated network dynamic test.

Figure 16 – Screenshot taken by malware during dynamic analysis, extracted from the network packet capture
PRELUDE Summary
PRELUDE is a simple backdoor that provides a reverse shell and the ability to take screenshots. It also sets the stage for the following malware by modifying the Windows Defender exclusion lists.
DELPHYS Loader
DELPHYS is a 64-bit Delphi loader distributed in EXE form. A 64-bit Delphi is not well supported in common reverse engineering tools. While DELPHYS does not display a graphical user interface (GUI), it was created as a GUI application, meaning the compiler included a large amount of effectively redundant code that would normally be used for rendering and behaving as a GUI application. This extra code makes it harder to find the comparatively small amount of malicious code that lies within.
Initial Identification
Doing an initial “strings” on the binary indicated that we were dealing with a higher-level language due to the amount of class names that were easily visible. This combined with the amount of those class names that began with the letter “T,” meant that the higher-level language was likely to be Delphi. This theory was easily tested by looking for the string with “Delphi,” which provided us with the Delphi compiler version: 29.0, indicating this sample was compiled with Delphi XE8 from 2015.

Figure 17 – Screenshot showing “T” classes and other indicative Delphi strings
Payload Extraction Routine
When looking at the sample in a static analysis tool, we found some code that the tool had not automatically detected as a function but appeared to be such.

Figure 18 – Code looking like a function, but undetected as such by automated analysis of static analyzer
This code appeared interesting as it contained calls to VirtualAlloc:

Figure 19 - Section of code calling VirtualAlloc
Decompiling that section with Ghidra results in a function with interesting behavior:

Figure 20 – Suspicious function decompiled
First, the code loads a resource from the binary by using a string identifier.
Then it allocates two memory areas with protection set to 0x40 (PAGE_EXECUTE_READWRITE), allowing execution of these areas.
Then it processes from the resource into the memory areas.
Then it proceeds to code that modifies the memory in a way that looks like a decryption routine. (The StrokePath call always returns zero, so its purpose seems unclear; it is possibly there to make the loop look like it has a legitimate purpose.)
Finally, it calls another function with no parameters before returning.
The function called just before the return simply loads an address located in memory into a register and does an unconditional jump (JMP) to it.

Figure 21 – Function that unconditionally jumps to memory location
Going back to our original function, we can see that same memory location being set with a location at an offset within one of the executable memory sections.

Figure 22 – Setting of memory location for unconditional jump
Running the sample in a debugger with a break point set to just before the unconditional jump instruction, we can see that the executable buffer contains a Portable Executable (PE) file, and the program is about to jump execution to and offset within that executable file. Hence, the name DELPHYS because the loader is written in Delphi and another malicious executable is nested inside it.

Figure 23 – Screenshot debugger running DELPHYS showing execution about to pass to nested PE file
Kroll dumped the memory containing the PE file to disk and determined this file to be Demon, the agent for the open-source HAVOC C2 framework.
DELPHYS Summary
While DELPHYS is a larger file size, its main purpose appears to be to extract into memory and execute an executable nested within it. The fact that it is written in 64-bit Delphi makes it harder to statically analyze due to the volume of excess code and less out-of-the-box support in static analysis tools.
This investigation revealed the lengths a dedicated threat actor, KTA440, went through to target an individual, likely after significant amounts of recognisance on the intended target, and a social engineering campaign that led to deployment of novel malware to the victim’s device. KTA440 displays skills and capabilities consistent with actors familiar with defense evasion, the capabilities of endpoint detection and response tools and antivirus, and a clear path to chain exploitation of the target device.
An additional sign of sophistication is the presence of multiple technologies for each step in the attack chain. Delphi binaries are a lesser-used language. This means that many tools and detections are not written to enable rapid analysis of Delphi binaries. Delphi binaries also do not tend to have a high number of dependencies, resulting in a larger binary that often becomes more time-consuming to analyze. Any compiled software can be analyzed given enough time and effort. If an actor is confident this will be time-consuming, they may have more time for actions on objectives and a slower reverse engineering process of their tooling during the incident response. For theft, this can result in valuable time to tumble currencies and clean up their tracks.