Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques

SUMMARY :

The article examines a malware variant associated with the SLOW#TEMPEST campaign, focusing on advanced obfuscation techniques used by the threat actors. The malware is distributed as an ISO file containing multiple files, including two malicious ones. The loader DLL, zlibwapi.dll, decrypts and executes the embedded payload, which is appended to another DLL. The analysis reveals sophisticated anti-analysis techniques, including Control Flow Graph (CFG) obfuscation using dynamic jumps and obfuscated function calls. The researchers demonstrate methods to counter these techniques using emulation and code patching. The loader DLL also employs an anti-sandbox check, only executing its payload if the target machine has at least 6 GB of RAM. The study highlights the importance of combining advanced dynamic analysis with static analysis to effectively understand and mitigate modern malware threats.

OPENCTI LABELS :

anti-analysis,dll sideloading,emulation,anti-sandbox,dynamic jumps,obfuscated function calls,slow#tempest,cfg obfuscation


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques