The article analyzes a malware variant involved in the SLOW#TEMPEST campaign, focusing on advanced obfuscation techniques such as control flow graph (CFG) obfuscation using dynamic jumps and obfuscated function calls to evade detection. It also presents methods and tools developed to de-obfuscate the malware, enabling better analysis and defense. #SLOWTEMPEST #emulation #dynamicjumps
Keypoints
- A malware variant from the SLOW#TEMPEST campaign was distributed via ISO files containing both malicious and benign files.
- The malware employs control flow graph (CFG) obfuscation using dynamic jumps managed by dispatcher routines, complicating static and dynamic analysis.
- Obfuscated function calls are implemented through indirect calls (e.g., Call RAX) where function addresses are computed at runtime.
- The researchers developed IDAPython and Unicorn-based scripts to emulate dispatcher instructions and resolve dynamic jumps and obfuscated function call targets.
- After de-obfuscation, the malware’s loader DLL was found to perform an anti-sandbox check by verifying the system’s physical memory before unpacking and executing its payload.
- Palo Alto Networks products such as Advanced WildFire, Cortex XDR, and XSIAM provide protection against these malware variants.
- Indicators of compromise include specific SHA256 hashes of the ISO and DLL files used in the campaign.
MITRE Techniques
- [T1214] DLL Side-Loading – The malware uses DLL side-loading by executing a legitimate signed binary (DingTalk.exe) which loads the malicious loader DLL (zlibwapi.dll) (“DLL side-loading is a technique where attackers use a legitimate program to load a malicious DLL file”).
- [T1047] Windows Management Instrumentation – The malware performs an anti-sandbox check using the Windows API GlobalMemoryStatusEx to verify system memory before executing the payload (“uses the Windows API GlobalMemoryStatusEx to determine the total physical memory”).
- [T1106] Native API – Dynamic resolution and invocation of Windows API calls via obfuscated function calls using indirect call instructions like Call RAX (“function’s address is calculated dynamically at runtime and then called through a pointer”).
- [T1036.005] Masquerading: DLL Side-Loading – Malware appends the payload to another DLL (ipc_core.dll) and relies on a separate loader DLL, complicating detection through masquerading legitimate components (“Separating the payload from the loader DLL complicates detection”).
Indicators of Compromise
- [File Hash] Malware samples involved in the SLOW#TEMPEST campaign – a05882750f7caac48a5b5ddf4a1392aa704e6e584699fe915c6766306dae72cc (ISO file), 3d3837eb69c3b072fdfc915468cbc8a83bb0db7babd5f7863bdf81213045023c (loader DLL), 3583cc881cb077f97422b9729075c9465f0f8f94647b746ee7fa049c4970a978 (payload DLL)
Read more: https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/