SLOW#TEMPEST Hackers Undertake New Evasion Ways to Bypass Detection Techniques

Safety researchers have uncovered a complicated evolution within the SLOW#TEMPEST malware marketing campaign, the place risk actors are deploying revolutionary obfuscation strategies to evade detection and complicate evaluation.

This variant, distributed by way of an ISO file containing a mixture of benign and malicious elements, leverages DLL sideloading by a reliable signed binary, DingTalk.exe, to load a malicious DLL named zlibwapi.dll.

This loader DLL decrypts and executes an embedded payload appended to a different file, ipc_core.dll, guaranteeing malicious execution solely happens when each components are current.

The marketing campaign’s ways, together with management circulate graph (CFG) obfuscation by way of dynamic jumps and obfuscated operate calls, considerably hinder static and dynamic evaluation, forcing safety practitioners to make use of superior emulation and scripting to dissect the code.

Superior Obfuscation Methods

Within the realm of CFG obfuscation, the malware employs dynamic jumps, equivalent to JMP RAX directions, the place goal addresses are computed at runtime primarily based on register values, reminiscence contents, and CPU flags just like the Zero Flag (ZF) and Carry Flag (CF).

These jumps disrupt predictable execution paths, rendering conventional decompilers like Hex-Rays ineffective by producing incomplete pseudocode.

Analysts countered this through the use of IDAPython scripts to determine dispatchers sequences of 9 directions previous every bounce that implement two-way branching by way of conditional strikes (e.g., CMOVNZ) or units (e.g., SETNL).

By emulating these dispatchers with the Unicorn framework, researchers extracted bytecodes and simulated executions twice per dispatcher to disclose each true and false department locations.

In keeping with the Report, Patching the IDA Professional database with direct jumps restored the unique management circulate, enabling full decompilation and exposing additional layers of evasion.

Constructing on this, obfuscated operate calls additional masks the malware’s intent by dynamically resolving addresses at runtime, typically invoked by way of CALL RAX, obscuring Home windows API invocations like GlobalMemoryStatusEx.

This method prevents speedy identification of malicious behaviors throughout static evaluation.

Using an analogous emulation technique, scripts resolved these name targets and set callee addresses in IDA Professional, permitting automated labeling of operate arguments and variable renaming.

Put up-deobfuscation, the loader DLL’s core performance emerged clearly: it performs an anti-sandbox test, continuing provided that the system has at the least 6 GB of RAM, earlier than unpacking and executing the payload in reminiscence.

Such checks exploit useful resource disparities between evaluation environments and actual targets, enhancing stealth.

Implications for Cybersecurity

The SLOW#TEMPEST marketing campaign underscores the escalating arms race in malware improvement, the place dynamic evasion ways problem signature-based detections and necessitate hybrid static-dynamic approaches.

By sharing these insights by the Cyber Risk Alliance, organizations can bolster protections, with instruments like Palo Alto Networks’ Superior WildFire detecting samples by way of behavioral evaluation, and Cortex XDR/XSIAM stopping executions by machine studying and shellcode AI modules.

For potential compromises, speedy contact with incident response groups is suggested.

This evaluation not solely demystifies the malware’s anti-analysis arsenal but in addition equips defenders with actionable strategies, equivalent to emulation scripts, to counter comparable threats in an period of more and more subtle cyberattacks.

Indicators of Compromise (IOCs)

Keep Up to date on Day by day Cybersecurity Information. Comply with us on Google Information, LinkedIn, and X.