Cybersecurity researchers are calling consideration to a brand new refined malware referred to as CoffeeLoader that is designed to obtain and execute secondary payloads.
The malware, based on Zscaler ThreatLabz, shares behavioral similarities with one other identified malware loader generally known as SmokeLoader.
“The aim of the malware is to obtain and execute second-stage payloads whereas evading detection by endpoint-based safety merchandise,” Brett Stone-Gross, senior director of menace intelligence at Zscaler, said in a technical write-up printed this week.
“The malware makes use of quite a few methods to bypass safety options, together with a specialised packer that makes use of the GPU, name stack spoofing, sleep obfuscation, and the usage of Home windows fibers.”
CoffeeLoader, which originated round September 2024, leverages a site technology algorithm (DGA) as a fallback mechanism in case the first command-and-control (C2) channels change into unreachable.
Central to the malware is a packer dubbed Armoury that executes code on a system’s GPU to complicate evaluation in digital environments. It has been so named resulting from the truth that it impersonates the professional Armoury Crate utility developed by ASUS.
The an infection sequence begins with a dropper that, amongst different issues, makes an attempt to execute a DLL payload packed by Armoury (“ArmouryAIOSDK.dll” or “ArmouryA.dll”) with elevated privileges, however not earlier than making an attempt to bypass Consumer Account Management (UAC) if the dropper doesn’t have the mandatory permissions.
The dropper can be designed to determine persistence on the host by way of a scheduled job that is configured to run both upon consumer logon with the best run stage or each 10 minutes. This step is succeeded by the execution of a stager element that, in flip, masses the primary module.
“The primary module implements quite a few methods to evade detection by antivirus (AV) and Endpoint Detection and Response (EDRs) together with call stack spoofing, sleep obfuscation, and leveraging Windows Fibers,” Stone-Gross stated.
These strategies are able to faking a call stack to obscure the origin of a operate name and obfuscating the payload whereas it’s in a sleep state, thereby permitting it to sidestep detection by safety software program.
The last word goal of CoffeeLoader is to contact a C2 server by way of HTTPS in an effort to receive the next-stage malware. This consists of instructions to inject and execute Rhadamanthys shellcode.
Zscaler stated it recognized a variety of commonalities between CoffeeLoader and SmokeLoader on the supply code stage, elevating the chance that it could be the following main iteration of the latter, notably within the aftermath of a law enforcement effort final 12 months that took down its infrastructure.
“There are additionally notable similarities between SmokeLoader and CoffeeLoader, with the previous distributing the latter, however the precise relationship between the 2 malware households shouldn’t be but clear,” the corporate stated.
The event comes as Seqrite Labs detailed a phishing e-mail marketing campaign to kickstart a multi-stage an infection chain that drops an information-stealing malware referred to as Snake Keylogger.
It additionally follows another cluster of activity that has focused customers participating in cryptocurrency buying and selling by way of Reddit posts promoting cracked variations of TradingView to trick customers into putting in stealers like Lumma and Atomic on Home windows and macOS techniques.
