Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques

SUMMARY :

In late 2024, a new variant of the SLOW#TEMPEST malware campaign was discovered, employing sophisticated obfuscation techniques. The malware is distributed as an ISO file containing multiple files, including a malicious loader DLL and a payload embedded in another DLL. The loader uses DLL side-loading and advanced anti-analysis methods such as Control Flow Graph (CFG) obfuscation with dynamic jumps and obfuscated function calls. These techniques make static and dynamic analysis challenging, hindering the creation of effective detection rules. The article details the process of de-obfuscating the code using emulation and patching techniques, revealing the malware's core functionality, including an anti-sandbox check based on system memory.

OPENCTI LABELS :

obfuscation,anti-analysis,emulation,dll side-loading,anti-sandbox,dynamic jumps,slow#tempest,cfg


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques