SLOW#TEMPEST Hackers Undertake New Evasion Techniques to Bypass Detection Methods

Safety researchers have uncovered a complicated evolution within the SLOW#TEMPEST malware marketing campaign, the place menace actors are deploying progressive obfuscation strategies to evade detection and complicate evaluation.

This variant, distributed through an ISO file containing a mixture of benign and malicious parts, leverages DLL sideloading by a authentic signed binary, DingTalk.exe, to load a malicious DLL named zlibwapi.dll.

This loader DLL decrypts and executes an embedded payload appended to a different file, ipc_core.dll, guaranteeing malicious execution solely happens when each parts are current.

The marketing campaign’s ways, together with management stream graph (CFG) obfuscation through dynamic jumps and obfuscated perform calls, considerably hinder static and dynamic evaluation, forcing safety practitioners to make use of superior emulation and scripting to dissect the code.

Superior Obfuscation Methods

Within the realm of CFG obfuscation, the malware employs dynamic jumps, similar to JMP RAX directions, the place goal addresses are computed at runtime primarily based on register values, reminiscence contents, and CPU flags just like the Zero Flag (ZF) and Carry Flag (CF).

These jumps disrupt predictable execution paths, rendering conventional decompilers like Hex-Rays ineffective by producing incomplete pseudocode.

Analysts countered this by utilizing IDAPython scripts to determine dispatchers sequences of 9 directions previous every leap that implement two-way branching through conditional strikes (e.g., CMOVNZ) or units (e.g., SETNL).

By emulating these dispatchers with the Unicorn framework, researchers extracted bytecodes and simulated executions twice per dispatcher to disclose each true and false department locations.

Based on the Report, Patching the IDA Professional database with direct jumps restored the unique management stream, enabling full decompilation and exposing additional layers of evasion.

Constructing on this, obfuscated perform calls additional masks the malware’s intent by dynamically resolving addresses at runtime, usually invoked through CALL RAX, obscuring Home windows API invocations like GlobalMemoryStatusEx.

This method prevents instant identification of malicious behaviors throughout static evaluation.

Using an analogous emulation technique, scripts resolved these name targets and set callee addresses in IDA Professional, permitting computerized labeling of perform arguments and variable renaming.

Publish-deobfuscation, the loader DLL’s core performance emerged clearly: it performs an anti-sandbox test, continuing provided that the system has not less than 6 GB of RAM, earlier than unpacking and executing the payload in reminiscence.

Such checks exploit useful resource disparities between evaluation environments and actual targets, enhancing stealth.

Implications for Cybersecurity

The SLOW#TEMPEST marketing campaign underscores the escalating arms race in malware growth, the place dynamic evasion ways problem signature-based detections and necessitate hybrid static-dynamic approaches.

By sharing these insights by the Cyber Menace Alliance, organizations can bolster protections, with instruments like Palo Alto Networks’ Superior WildFire detecting samples through behavioral evaluation, and Cortex XDR/XSIAM stopping executions by machine studying and shellcode AI modules.

For potential compromises, instant contact with incident response groups is suggested.

This evaluation not solely demystifies the malware’s anti-analysis arsenal but in addition equips defenders with actionable strategies, similar to emulation scripts, to counter related threats in an period of more and more subtle cyberattacks.

Indicators of Compromise (IOCs)

Keep Up to date on Day by day Cybersecurity Information. Comply with us on Google Information, LinkedIn, and X.