The article examines a malware variant associated with the SLOW#TEMPEST campaign, focusing on advanced obfuscation techniques used by the threat actors. The malware is distributed as an ISO file containing multiple files, including two malicious ones. The loader DLL, zlibwapi.dll, decrypts and executes the embedded payload, which is appended to another DLL. The analysis reveals sophisticated anti-analysis techniques, including Control Flow Graph (CFG) obfuscation using dynamic jumps and obfuscated function calls. The researchers demonstrate methods to counter these techniques using emulation and code patching. The loader DLL also employs an anti-sandbox check, only executing its payload if the target machine has at least 6 GB of RAM. The study highlights the importance of combining advanced dynamic analysis with static analysis to effectively understand and mitigate modern malware threats. Author: AlienVault
Related Tags:
slow#tempest
obfuscated function calls
dynamic jumps
T1027.004
anti-sandbox
T1553.002
emulation
T1497.001
anti-analysis
Associated Indicators:
A05882750F7CAAC48A5B5DDF4A1392AA704E6E584699FE915C6766306DAE72CC
3D3837EB69C3B072FDFC915468CBC8A83BB0DB7BABD5F7863BDF81213045023C