Full Report
Newly identified CoffeeLoader uses multiple evasion techniques and persistence mechanisms to deploy payloads and bypass endpoint security
Analysis Summary
# Tool/Technique: CoffeeLoader
## Overview
CoffeeLoader is a newly identified malware loader observed deploying second-stage payloads while incorporating multiple sophisticated techniques to bypass endpoint security measures and analysis environments. It has been seen operating in conjunction with the SmokeLoader malware.
## Technical Details
- Type: Malware Loader
- Platform: Windows (implied by use of Windows Task Scheduler and standard Windows utilities)
- Capabilities: Evasion using packing (Armoury), call stack spoofing, memory state obfuscation (sleep obfuscation), payload delivery, and persistence via Scheduled Tasks.
- First Seen: September 2024 (tracked by Zscaler ThreatLabz)
## MITRE ATT&CK Mapping
(Note: Specific mappings are derived from described behaviors, as the article details evasion techniques relevant to multiple tactics.)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.003 - Obfuscation: File Encryption (Related to encrypting memory state)
- T1055 - Process Injection
- T1070 - Indicator Removal on Host (Related to hiding analysis artifacts)
- **TA0003 - Persistence**
- T1053 - Scheduled Task/Job
- T1053.005 - Scheduled Task
## Functionality
### Core Capabilities
- **Payload Delivery:** Loads and executes further malicious payloads after initial infection.
- **Persistence:** Establishes persistence on compromised systems, primarily through Windows Task Scheduler.
- Newer versions schedule tasks to run every 10 minutes.
- Older versions executed every 30 minutes or at logon.
- **Dropper Functionality:** Copies its payload to specific directories contingent on the compromised user's privileges (admin vs. standard user).
### Advanced Features
- **Armoury Packer/Impersonation:** Utilizes "Armoury," a GPU-based packer that impersonates the legitimate ASUS Armoury Crate utility to complicate analysis within virtual environments (sandbox evasion).
- **Call Stack Spoofing:** Employs call stack spoofing to mask the origin of function calls, a technique previously noted in BokuLoader.
- **Sleep Obfuscation:** Encrypts its memory state when idle to evade detection by security scans that monitor memory while the process is inactive.
## Indicators of Compromise
- File Hashes: [Not specified in the provided text]
- File Names: [Not specified in the provided text, though its dropper copies payloads to specific directories based on privilege level]
- Registry Keys: [Not specified in the provided text]
- Network Indicators: [Not specified in the provided text]
- Behavioral Indicators:
- Creation of scheduled tasks running every 10 minutes (or 30 minutes/at logon in older versions).
- Use of processes mimicking 'ASUS Armoury Crate' during execution due to packing.
## Associated Threat Actors
- Associated with operations deploying **SmokeLoader**. (Specific threat actor group name not provided)
## Detection Methods
- Signature-based detection: Detection signatures may be developed targeting the unique file structure or strings related to the "Armoury" packer signature.
- Behavioral detection: Monitoring for frequent (every 10 minutes) scheduled task creation or execution patterns. Monitoring for unusual memory encryption behavior during sleep states.
- YARA rules: Potential for YARA rules targeting the specific characteristics of the Armoury packer.
## Mitigation Strategies
- **Endpoint Protection:** Deploying modern EDR solutions capable of analyzing process injection techniques and memory state changes (detecting sleep obfuscation).
- **Privilege Management:** Limiting user privileges to reduce the impact of payload placement in higher-level directories.
- **Scheduled Task Monitoring:** Rigorously auditing the creation and execution frequency of Windows Scheduled Tasks.
- **Vulnerability Management:** Patching systems to prevent the initial delivery mechanism (which is often tied to established infection vectors used by loaders).
## Related Tools/Techniques
- **SmokeLoader:** Observed being deployed by CoffeeLoader operations.
- **BokuLoader:** Shares the call stack spoofing technique.