Fast Feed

Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques

1 min read

Summary

  • Researchers from Unit 42 recently came across updated SLOW#TEMPEST malware, which uses several obfuscation techniques to evade detection.
  • The obfuscation methods used include control flow graph (CFG) obfuscation using dynamic jumps, as well as obfuscated function calls.
  • With the former, the destination of a jump is determined at runtime through a sequence of instructions, while with the latter, function calls are made indirectly via pointers with the actual target computed at runtime.
  • To counter these, the researchers developed Python scripts to resolve the control flow and function call obfuscation, allowing them to identify both and analyze their functionality.
  • They determined that the malware has an anti-sandbox mechanism that only executes its payload if the target machine has at least 6GB of RAM.
  • The obfuscation analysis scripts are available on GitHub.
  • These advanced analysis techniques are useful for practitioners to better understand and thereby detect advanced malware.

By Mark Lim

Original Article

Backlinks