SLOW#TEMPEST: Advanced Obfuscation Evades Static Analysis With CFG & Indirect Calls

In late 2024, security researchers from Unit 42 uncovered a sophisticated new variant of the malware associated with the SLOW#TEMPEST campaign—an evolution of evasive threats that are redefining malware obfuscation techniques. This latest campaign demonstrates a formidable use of Control Flow Graph (CFG) obfuscation and indirect function call masking that renders traditional static analysis tools nearly useless.

“Understanding these evolving tactics is essential for security practitioners to develop robust detection rules and strengthen defenses against increasingly sophisticated threats,” the report states.

The infection begins with a familiar tactic: an ISO file bundled with 11 files, only two of which are malicious. The attack relies on DLL side-loading, using a legitimate signed binary (DingTalk.exe) to execute a malicious DLL (zlibwapi.dll), referred to as the loader DLL.

What sets this sample apart is the location of the actual payload—hidden at the end of another DLL (ipc_core.dll) rather than embedded inside the loader.

“Separating the payload from the loader DLL complicates detection, as the malicious code will only execute if both the loader and payload binaries are present,” the report explains.

Control Flow Graph (CFG) obfuscation distorts the logical flow of a program’s instructions, making reverse engineering a nightmare. The loader DLL’s main function—spanning over 17,000 lines of assembly—employs dynamic jump instructions that confuse decompilers.

“The sample used dynamic jump instructions… target addresses in code are computed at runtime. This severely hinders the decompiler’s ability to reconstruct the original high-level code.”

A striking example involves JMP RAX, where the destination address is calculated during execution using CPU registers and memory states, making detection of malware logic nearly impossible without runtime emulation.

The research team tackled this by developing a Python script for IDA Pro and Unicorn Engine that identified and replaced the 10 dynamic jumps in the loader with static direct jumps, revealing the previously hidden flow of execution.

Unlike typical malware, this variant had no direct Windows API calls. Instead, it used indirect calls, resolved dynamically at runtime through instructions like CALL RAX.

“The function’s address is being dynamically determined at runtime rather than being directly specified in the code.”

Using a second emulation script (emu_call_rax_idapython.py), the analysts resolved the target addresses of these calls. They patched IDA Pro to set the correct “callee” addresses, allowing it to recognize standard Windows APIs and label function arguments.

“After adding the code… IDA Pro will automatically label function arguments and rename local variables for each obfuscated function call. This significantly improved our ability to read and analyze the code.”

After de-obfuscating the control flow and function calls, the malware’s core logic became evident. A key finding was an anti-sandbox mechanism: the malware only unpacks and executes its payload if the target system has at least 6 GB of RAM, as verified using GlobalMemoryStatusEx.

This sandbox-aware execution is a hallmark of modern malware engineered to avoid automated security environments and focus on real targets.

The SLOW#TEMPEST campaign highlights the need for advanced malware analysis techniques that go beyond static disassembly. Dynamic analysis, emulation frameworks like Unicorn, and tools like Hex-Rays, IDA Pro, and custom IDAPython scripts are essential to peeling back these layers of evasion.

“The success of the SLOW#TEMPEST campaign using these techniques demonstrates the potential impact of advanced obfuscation on organizations,” the report concludes.

Related Posts:

• Microsoft is investigating CFG bypass vulnerabilities
• Unmasking Meltdown: Alarming CPU Flaws Revealed
• How Spyware Evades Detection through Advanced Obfuscation
• New Spectre Variant (CVE-2024-2201) Exposes Limitations of Current Defenses
• Indirector – High-Precision Branch Target Injection Attacks: A New Threat to Intel CPUs