Full Report
Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads. The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader. "The purpose of the malware is to download and execute second-stage payloads while evading
Analysis Summary
# Tool/Technique: CoffeeLoader
## Overview
CoffeeLoader is a sophisticated malware designed to download and execute secondary payloads while prioritizing evasion of endpoint security products like EDR and Antivirus through several advanced techniques, notably its use of a GPU-based packer dubbed Armoury. It shares behavioral similarities with the known malware loader SmokeLoader.
## Technical Details
- Type: Malware Family
- Platform: Windows (implied by reference to Windows fibers, UAC, and ASUS Armoury Crate)
- Capabilities: Downloads and executes second-stage payloads, evades security solutions, establishes persistence, contacts C2 via HTTPS, implements DGA as a fallback.
- First Seen: Around September 2024
## MITRE ATT&CK Mapping
*Note: Specific T numbers are not provided in the text, so mappings are derived based on described functionality.*
- **Defense Evasion**
- Obfuscation/Anti-Analysis Techniques (Call Stack Spoofing, Sleep Obfuscation, GPU execution)
- **Execution**
- Execution of secondary payloads (DLL/Shellcode injection)
- **Defense Evasion / Execution**
- Bypassing User Account Control (UAC)
- **Persistence**
- Establishing persistence via Scheduled Task
## Functionality
### Core Capabilities
- **Payload Delivery:** Downloads and executes secondary malware, including Rhadamanthys shellcode.
- **Persistence:** Establishes persistence using a Scheduled Task configured to run upon user logon (highest run level) or every 10 minutes.
- **C2 Communication:** Communicates with C2 servers over HTTPS using a Domain Generation Algorithm (DGA) as a backup communication channel.
### Advanced Features
- **Armoury Packer:** A specialized packer that executes malicious code on the system's Graphics Processing Unit (GPU) to complicate analysis, especially in virtual environments. It masquerades as the legitimate ASUS Armoury Crate utility.
- **Call Stack Spoofing:** Fakes the function call stack to obscure the true origin of malicious function calls, confusing security instrumentation.
- **Sleep Obfuscation:** Obfuscates the payload while it is in a sleep state, allowing it to bypass security inspections during these low-activity periods.
- **Windows Fibers:** Leverages Windows Fibers for execution control to further aid evasion.
- **UAC Bypass:** Attempts to bypass User Account Control (UAC) if the initial dropper does not possess elevated privileges.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: "ArmouryAIOSDK.dll", "ArmouryA.dll" (Packed DLL payloads)
- Registry Keys: [Not provided in the source text]
- Network Indicators: Contacts C2 servers over HTTPS; potentially uses domains generated by a DGA.
- Behavioral Indicators: Creation of a Scheduled Task for persistence; process behavior mimicking ASUS Armoury Crate operations; memory/execution artifacts related to hidden GPU code execution.
## Associated Threat Actors
- Potential successor or evolution of **SmokeLoader**.
- Actor group is currently unconfirmed but operates with high sophistication, matching characteristics of advanced persistent threats targeting endpoint security.
## Detection Methods
- Signature-based detection: Detection signatures targeting the recognized file names ("ArmouryAIOSDK.dll", "ArmouryA.dll").
- Behavioral detection: Monitoring for system behaviors such as unauthorized UAC interaction, the creation of high-privilege scheduled tasks referencing suspicious names, and any suspicious activity originating from legitimate processes (i.e., processes related to GPU interaction in unexpected contexts).
- YARA rules if available: [Not provided in the source text]
## Mitigation Strategies
- Prevention measures: Implement strict application control/whitelisting.
- Hardening recommendations: Employ robust EDR solutions capable of analyzing low-level system calls and kernel activity, specifically looking for call stack anomalies and suspicious use of Windows processes or sleep APIs. Restrict execution privileges where possible.
- Monitor for unusual activity around GPU-related APIs or libraries that are not associated with gaming or graphic rendering software.
## Related Tools/Techniques
- **SmokeLoader:** CoffeeLoader shares significant behavioral similarities, suggesting a linkage or direct evolution.
- **Rhadamanthys:** A known shellcode/malware mentioned as a potential second-stage payload delivered by CoffeeLoader.