SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems

Security researchers have uncovered a sophisticated evolution in the SLOW#TEMPEST malware campaign, where threat actors are deploying innovative obfuscation methods to evade detection and complicate analysis.

This variant, distributed via an ISO file containing a mix of benign and malicious components, leverages DLL sideloading through a legitimate signed binary, DingTalk.exe, to load a malicious DLL named zlibwapi.dll.

This loader DLL decrypts and executes an embedded payload appended to another file, ipc_core.dll, ensuring malicious execution only occurs when both elements are present.

The campaign’s tactics, including control flow graph (CFG) obfuscation via dynamic jumps and obfuscated function calls, significantly hinder static and dynamic analysis, forcing security practitioners to employ advanced emulation and scripting to dissect the code.

Advanced Obfuscation Techniques

In the realm of CFG obfuscation, the malware employs dynamic jumps, such as JMP RAX instructions, where target addresses are computed at runtime based on register values, memory contents, and CPU flags like the Zero Flag (ZF) and Carry Flag (CF).

These jumps disrupt predictable execution paths, rendering traditional decompilers like Hex-Rays ineffective by producing incomplete pseudocode.

Analysts countered this by using IDAPython scripts to identify dispatchers sequences of nine instructions preceding each jump that implement two-way branching via conditional moves (e.g., CMOVNZ) or sets (e.g., SETNL).

By emulating these dispatchers with the Unicorn framework, researchers extracted bytecodes and simulated executions twice per dispatcher to reveal both true and false branch destinations.

According to the Report, Patching the IDA Pro database with direct jumps restored the original control flow, enabling full decompilation and exposing further layers of evasion.

Building on this, obfuscated function calls further mask the malware’s intent by dynamically resolving addresses at runtime, often invoked via CALL RAX, obscuring Windows API invocations like GlobalMemoryStatusEx.

This technique prevents immediate identification of malicious behaviors during static analysis.

Employing a similar emulation strategy, scripts resolved these call targets and set callee addresses in IDA Pro, allowing automatic labeling of function arguments and variable renaming.

Post-deobfuscation, the loader DLL’s core functionality emerged clearly: it performs an anti-sandbox check, proceeding only if the system has at least 6 GB of RAM, before unpacking and executing the payload in memory.

Such checks exploit resource disparities between analysis environments and real targets, enhancing stealth.

Implications for Cybersecurity

The SLOW#TEMPEST campaign underscores the escalating arms race in malware development, where dynamic evasion tactics challenge signature-based detections and necessitate hybrid static-dynamic approaches.

By sharing these insights through the Cyber Threat Alliance, organizations can bolster protections, with tools like Palo Alto Networks’ Advanced WildFire detecting samples via behavioral analysis, and Cortex XDR/XSIAM preventing executions through machine learning and shellcode AI modules.

For potential compromises, immediate contact with incident response teams is advised.

This analysis not only demystifies the malware’s anti-analysis arsenal but also equips defenders with actionable methods, such as emulation scripts, to counter similar threats in an era of increasingly sophisticated cyberattacks.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.