A new malware strain associated with the SLOW#TEMPEST campaign was discovered by cybersecurity experts in late 2024. It displayed a variety of advanced evasion methods intended to prevent detection and impede reverse engineering.
Distributed as an ISO file a tactic increasingly observed in recent cybercrime operations for its ability to bundle multiple files and bypass initial scanning the SLOW#TEMPEST sample demonstrated a carefully architected infection chain.
The ISO package contained eleven files, with two carrying the malicious payload and the others posing as benign to mislead investigators and evade automated detection.
Central to the malware’s operation is a loader DLL (zlibwapi.dll), which leverages the technique of DLL side-loading.
This technique exploits a legitimate, digitally signed executable, in this case, DingTalk.exe, which inadvertently loads and executes the malicious DLL.
Notably, the loader does not directly contain its final payload; rather, it decrypts and executes malicious code appended to the overlay segment of another DLL (ipc_core.dll).
This design compartmentalizes the attack chain, ensuring the malicious logic will only trigger if both the loader and payload components are present a strategy that complicates detection and forensic analysis.
Dynamic Control Flow
One of the most challenging aspects identified in the analysis involved aggressive control flow graph (CFG) obfuscation using dynamic jumps.
By implementing dispatcher routines sequences of nine assembly instructions preceding a JMP RAX the malware dynamically calculates jump targets based on the system state, particularly leveraging CPU flags like the Zero Flag (ZF) and Carry Flag (CF).
Each dispatcher introduces two-way branching, with the chosen execution path determined at runtime, and varied calculation logic for each jump.
Such mechanics break the direct relationships between code locations and runtime logic, bewildering standard static analysis tools and frustrating attempts to create reliable detection signatures.
Researchers employed CPU emulation frameworks, such as Unicorn, to execute only the dispatcher routines in isolation, thus safely resolving all potential dynamic jump destinations.
By patching these in the IDA Pro analysis environment, they restored a readable program flow and enabled successful high-level decompilation.
Despite this advancement, additional layers of opacity persisted; nearly all function calls, including those to Windows APIs, were highly obfuscated.
Instead of direct invocation, the addresses of target functions were computed in real time and called via indirect means (CALL RAX), further obstructing both static and dynamic scrutiny.
Addressing this, researchers wrote scripts to emulate and resolve the destination addresses for each obfuscated call.
They enhanced IDA Pro’s program understanding by explicitly setting the callee addresses for these functions, enabling automated argument labeling and local variable renaming. This process was crucial for extracting the actual capabilities and intent of the malware.
Anti-Analysis Features Exposed
With the code successfully de-obfuscated, the primary logic of the loader DLL came into sharp focus.
An initial anti-analysis check verifies the host’s physical memory using the Windows API GlobalMemoryStatusEx, proceeding to unpack its malicious payload only if the system boasts at least 6 GB of RAM.
This behavior targets more capable endpoints while sidestepping potential analysis environments such as sandboxes, which often run with minimal resource allocation.
The campaign underscores a shifting paradigm in malware development, where advanced obfuscation leveraging dynamic control flows and runtime-resolved function pointers renders traditional detection and analysis techniques less effective.
This necessitates a fusion of advanced static and dynamic analysis approaches, including emulation and automated code patching, to stay ahead of adversaries.
According to the Report, Palo Alto Networks clients benefit from enhanced protection against these threats through tools like Advanced WildFire, Cortex XDR, and XSIAM, which utilize behavioral analytics and AI-driven techniques to detect and defend against both known and novel threats.
The research findings have been shared with fellow Cyber Threat Alliance members to foster rapid protective action across the cybersecurity community.
Organizations concerned about potential compromise are advised to contact the Unit 42 Incident Response team for expert assistance.
Indicators of Compromise (IOC)
| SHA256 Hash | File Size | File Description |
|---|---|---|
| a05882750f7caac48a5b5ddf4a1392aa704e6e584699fe915c6766306dae72cc | 7.42 MB | ISO file distributed in SLOW#TEMPEST campaign |
| 3d3837eb69c3b072fdfc915468cbc8a83bb0db7babd5f7863bdf81213045023c | 1.64 MB | DLL used to load and execute the payload |
| 3583cc881cb077f97422b9729075c9465f0f8f94647b746ee7fa049c4970a978 | 1.64 MB | DLL with encrypted payload in overlay segment |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
