SLOW#TEMPEST Hackers Undertake New Evasion Techniques to Bypass Detection Programs

Safety researchers have uncovered a classy evolution within the SLOW#TEMPEST malware marketing campaign, the place menace actors are deploying modern obfuscation strategies to evade detection and complicate evaluation.

This variant, distributed through an ISO file containing a mixture of benign and malicious parts, leverages DLL sideloading by a respectable signed binary, DingTalk.exe, to load a malicious DLL named zlibwapi.dll.

This loader DLL decrypts and executes an embedded payload appended to a different file, ipc_core.dll, guaranteeing malicious execution solely happens when each components are current.

The marketing campaign’s ways, together with management stream graph (CFG) obfuscation through dynamic jumps and obfuscated operate calls, considerably hinder static and dynamic evaluation, forcing safety practitioners to make use of superior emulation and scripting to dissect the code.

Superior Obfuscation Strategies

Within the realm of CFG obfuscation, the malware employs dynamic jumps, equivalent to JMP RAX directions, the place goal addresses are computed at runtime based mostly on register values, reminiscence contents, and CPU flags just like the Zero Flag (ZF) and Carry Flag (CF).

These jumps disrupt predictable execution paths, rendering conventional decompilers like Hex-Rays ineffective by producing incomplete pseudocode.

Analysts countered this through the use of IDAPython scripts to establish dispatchers sequences of 9 directions previous every bounce that implement two-way branching through conditional strikes (e.g., CMOVNZ) or units (e.g., SETNL).

By emulating these dispatchers with the Unicorn framework, researchers extracted bytecodes and simulated executions twice per dispatcher to disclose each true and false department locations.

Based on the Report, Patching the IDA Professional database with direct jumps restored the unique management stream, enabling full decompilation and exposing additional layers of evasion.

Constructing on this, obfuscated operate calls additional masks the malware’s intent by dynamically resolving addresses at runtime, typically invoked through CALL RAX, obscuring Home windows API invocations like GlobalMemoryStatusEx.

This system prevents speedy identification of malicious behaviors throughout static evaluation.

Using an identical emulation technique, scripts resolved these name targets and set callee addresses in IDA Professional, permitting automated labeling of operate arguments and variable renaming.

Submit-deobfuscation, the loader DLL’s core performance emerged clearly: it performs an anti-sandbox verify, continuing provided that the system has at the very least 6 GB of RAM, earlier than unpacking and executing the payload in reminiscence.

Such checks exploit useful resource disparities between evaluation environments and actual targets, enhancing stealth.

Implications for Cybersecurity

The SLOW#TEMPEST marketing campaign underscores the escalating arms race in malware improvement, the place dynamic evasion ways problem signature-based detections and necessitate hybrid static-dynamic approaches.

By sharing these insights by the Cyber Risk Alliance, organizations can bolster protections, with instruments like Palo Alto Networks’ Superior WildFire detecting samples through behavioral evaluation, and Cortex XDR/XSIAM stopping executions by machine studying and shellcode AI modules.

For potential compromises, speedy contact with incident response groups is suggested.

This evaluation not solely demystifies the malware’s anti-analysis arsenal but in addition equips defenders with actionable strategies, equivalent to emulation scripts, to counter related threats in an period of more and more refined cyberattacks.

Indicators of Compromise (IOCs)

Keep Up to date on Every day Cybersecurity Information. Comply with us on Google Information, LinkedIn, and X.