SLOW#TEMPEST Hackers Undertake New Evasion Techniques to Bypass Detection Techniques

Safety researchers have uncovered a classy evolution within the SLOW#TEMPEST malware marketing campaign, the place risk actors are deploying progressive obfuscation strategies to evade detection and complicate evaluation.

This variant, distributed by way of an ISO file containing a mixture of benign and malicious parts, leverages DLL sideloading by means of a official signed binary, DingTalk.exe, to load a malicious DLL named zlibwapi.dll.

This loader DLL decrypts and executes an embedded payload appended to a different file, ipc_core.dll, making certain malicious execution solely happens when each parts are current.

The marketing campaign’s ways, together with management move graph (CFG) obfuscation by way of dynamic jumps and obfuscated perform calls, considerably hinder static and dynamic evaluation, forcing safety practitioners to make use of superior emulation and scripting to dissect the code.

Superior Obfuscation Methods

Within the realm of CFG obfuscation, the malware employs dynamic jumps, reminiscent of JMP RAX directions, the place goal addresses are computed at runtime based mostly on register values, reminiscence contents, and CPU flags just like the Zero Flag (ZF) and Carry Flag (CF).

These jumps disrupt predictable execution paths, rendering conventional decompilers like Hex-Rays ineffective by producing incomplete pseudocode.

Analysts countered this by utilizing IDAPython scripts to establish dispatchers sequences of 9 directions previous every soar that implement two-way branching by way of conditional strikes (e.g., CMOVNZ) or units (e.g., SETNL).

By emulating these dispatchers with the Unicorn framework, researchers extracted bytecodes and simulated executions twice per dispatcher to disclose each true and false department locations.

In accordance with the Report, Patching the IDA Professional database with direct jumps restored the unique management move, enabling full decompilation and exposing additional layers of evasion.

Constructing on this, obfuscated perform calls additional masks the malware’s intent by dynamically resolving addresses at runtime, usually invoked by way of CALL RAX, obscuring Home windows API invocations like GlobalMemoryStatusEx.

This system prevents quick identification of malicious behaviors throughout static evaluation.

Using an identical emulation technique, scripts resolved these name targets and set callee addresses in IDA Professional, permitting automated labeling of perform arguments and variable renaming.

Put up-deobfuscation, the loader DLL’s core performance emerged clearly: it performs an anti-sandbox examine, continuing provided that the system has at the very least 6 GB of RAM, earlier than unpacking and executing the payload in reminiscence.

Such checks exploit useful resource disparities between evaluation environments and actual targets, enhancing stealth.

Implications for Cybersecurity

The SLOW#TEMPEST marketing campaign underscores the escalating arms race in malware growth, the place dynamic evasion ways problem signature-based detections and necessitate hybrid static-dynamic approaches.

By sharing these insights by means of the Cyber Risk Alliance, organizations can bolster protections, with instruments like Palo Alto Networks’ Superior WildFire detecting samples by way of behavioral evaluation, and Cortex XDR/XSIAM stopping executions by means of machine studying and shellcode AI modules.

For potential compromises, quick contact with incident response groups is suggested.

This evaluation not solely demystifies the malware’s anti-analysis arsenal but in addition equips defenders with actionable strategies, reminiscent of emulation scripts, to counter related threats in an period of more and more refined cyberattacks.

Indicators of Compromise (IOCs)

Keep Up to date on Day by day Cybersecurity Information. Comply with us on Google Information, LinkedIn, and X.