- Security researchers Zscaler found a new loader used in different infostealing campaigns
- CoffeeLoader uses multiple tricks to bypass security and drop additional payloads
- Interestingly enough, it executes the code on the system’s GPU
Security researchers have found a dangerous new malware loader that can evade traditional endpoint detection and response (EDR) solutions in a clever and concerning way.
Researchers from Zscaler ThreatLabz said they recently observed CoffeeLoader in the wild, describing it as a “sophisticated” malware loader.
For detection evasion, CoffeeLoader uses a number of features, including call stack spoofing, sleep obfuscation, and the use of Windows fibers, the researchers said. Call stacks can be described as a digital breadcrumb trail that records which functions a program has called. Security tools can use call stacks to track program behavior, and detect suspicious activity. CoffeeLoader, however, hides its tracks by forging a fake breadcrumb trail.
Armoury
A malware loader’s task usually is to infiltrate a system and execute or download additional malware, such as ransomware or spyware. It acts as the initial infection stage, often evading detection by security tools before deploying the main payload.
Sleep obfuscation makes the malware’s code and data encrypted while the tool is in a sleep state – therefore, the malware’s unencrypted artifacts are present in memory only when the code is being executed.
Zscaler describes Windows fibers as an “obscure and lightweight mechanism for implementing user-mode multitasking.”
Fibers allow a single threat to have multiple execution contexts (fibers), which the application can switch between, manually. CoffeeLoader uses Windows fibers to implement sleep obfuscation.
But perhaps the most concerning aspect of the loader is Armoury, a packer that executes the code on the system’s GPU, hindering analysis in virtual environments.
“After the GPU executes the function, the decoded output buffer contains self-modifying shellcode, which is then passed back to the CPU to decrypt and execute the underlying malware,” the researchers explained.
“ThreatLabz has observed this packer used to protect both SmokeLoader and CoffeeLoader payloads.”
The researchers said they saw CoffeeLoader being used to deploy Rhadamanthys shellcode, meaning it is deployed in infostealing campaigns.
Leave a comment