CyberSecurity news
FlagThis
@gbhackers.com
//
Cybersecurity experts have identified a significant evolution in the tactics employed by the SLOW#TEMPEST malware group, which is now utilizing advanced obfuscation techniques to bypass detection systems. This latest variant is distributed as an ISO file containing both malicious and seemingly benign files, a common strategy to evade initial scanning. The malware employs DLL sideloading, a technique where a legitimate, signed executable like DingTalk.exe is tricked into loading a malicious DLL, zlibwapi.dll. This loader DLL then decrypts and executes a payload appended to another DLL, ipc_core.dll, creating a multi-stage attack that complicates analysis and detection.
At the core of SLOW#TEMPEST's enhanced evasion are sophisticated obfuscation methods designed to thwart both static and dynamic analysis. The malware utilizes control flow graph (CFG) obfuscation through dynamic jumps, where the target addresses of instructions like JMP RAX are computed at runtime based on system states and CPU flags. This unpredictability renders traditional analysis tools ineffective. Additionally, function calls are heavily obfuscated, with addresses dynamically resolved at runtime, masking the malware's true intentions and obscuring calls to crucial Windows APIs. Researchers have countered these tactics by employing CPU emulation frameworks like Unicorn to isolate and execute dispatcher routines, thereby revealing the dynamic jump destinations and restoring a more comprehensible program flow.
Palo Alto Networks researchers have delved into these advanced obfuscation techniques, highlighting methods and code that can be used to detect and defeat them. Their analysis reveals that the malware authors are actively manipulating execution paths and obscuring function calls to make their malicious code as difficult to analyze as possible. The campaign's use of dynamic jumps and obfuscated function calls forces security practitioners to adopt advanced emulation and scripting to dissect the malware's operations effectively. Understanding and counteracting these evolving tactics is crucial for developing robust detection rules and strengthening defenses against increasingly sophisticated cyber threats. Palo Alto Networks customers are reportedly better protected against these threats through products like Advanced WildFire, Cortex XDR, and XSIAM.
ImgSrc: blogger.googleu
References :
At the core of SLOW#TEMPEST's enhanced evasion are sophisticated obfuscation methods designed to thwart both static and dynamic analysis. The malware utilizes control flow graph (CFG) obfuscation through dynamic jumps, where the target addresses of instructions like JMP RAX are computed at runtime based on system states and CPU flags. This unpredictability renders traditional analysis tools ineffective. Additionally, function calls are heavily obfuscated, with addresses dynamically resolved at runtime, masking the malware's true intentions and obscuring calls to crucial Windows APIs. Researchers have countered these tactics by employing CPU emulation frameworks like Unicorn to isolate and execute dispatcher routines, thereby revealing the dynamic jump destinations and restoring a more comprehensible program flow.
Palo Alto Networks researchers have delved into these advanced obfuscation techniques, highlighting methods and code that can be used to detect and defeat them. Their analysis reveals that the malware authors are actively manipulating execution paths and obscuring function calls to make their malicious code as difficult to analyze as possible. The campaign's use of dynamic jumps and obfuscated function calls forces security practitioners to adopt advanced emulation and scripting to dissect the malware's operations effectively. Understanding and counteracting these evolving tactics is crucial for developing robust detection rules and strengthening defenses against increasingly sophisticated cyber threats. Palo Alto Networks customers are reportedly better protected against these threats through products like Advanced WildFire, Cortex XDR, and XSIAM.
ImgSrc: blogger.googleu
Share:
References :
- unit42.paloaltonetworks.com: Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
- Cyber Security News: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
- gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
- cyberpress.org: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
- gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
- malware.news: Malware News: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
- Virus Bulletin: Palo Alto Networks researchers explore the obfuscation techniques employed by the malware authors in the SLOW#TEMPEST campaign and highlight methods and code that can be used to detect and defeat these techniques.
Classification:
- HashTags: #malware #obfuscation #cybersecurity
- Company: Palo Alto Networks
- Target: Organizations
- Attacker: SLOW#TEMPEST
- Product: Unit 42
- Feature: malware obfuscation
- Malware: SLOW#TEMPEST
- Type: Malware
- Severity: Major