Cybersecurity researchers are turning their attention to a new, sophisticated malware called Coffeeloader, which is designed to download and run secondary payloads.
According to Zscaler’s threat, malware shares behavioral similarity with another known malware loader known as Smokeloader.
“The purpose of malware is to download and run the second stage payload while avoiding detection by endpoint-based security products,” said Brett Stone-Gross, senior director of threat intelligence at Zscaler, in a technical article published this week.
“Malware uses numerous techniques to bypass security solutions, including GPUs, call stack spoofing, sleep obfuscation, and specialized packers, such as using Windows Fiber.”
The Coffeeloader, which occurred around September 2024, uses the Domain Generation Algorithm (DGA) as a fallback mechanism in case the main Command and Control (C2) channels are no longer reachable.
At the heart of malware is an armory called packers, which executes code on the system’s GPU to complicate analysis in virtual environments. It is named so because of the fact that it is impersonating a legitimate armored wooden frame utility developed by ASUS.
The infection sequence starts with a dropper trying to run a dll payload packed by Armory (“armouryaiosdk.dll” or “armourya.dll”), among other things, but not before attempting to bypass User Account Control (UAC) if the dropper doesn’t have the required option.
The dropper is also designed to establish host persistence using the highest running level user logon or scheduled tasks configured to run every 10 minutes. This step is successful by running the stager component that loads the main module.
“The main modules implement numerous techniques to avoid detection by antivirus (AV) and endpoint detection and response (EDR), including call stack spoofing, sleep obfuscation, and window fiber utilization,” Stone-Gross said.
These methods obscure the origin of function calls and allow forgery of call stacks to obfuscate payloads during sleep states, thereby avoiding detection by security software.
The ultimate goal of Coffeeloader is to contact the C2 server via HTTPS to get the next stage of malware. This includes commands to inject and run Rhadamanthys shellcode.
Zscaler said he identified many commonalities between Coffeeloader and Smokeloader at the source code level, increasing the likelihood of being the next major iteration, particularly in the aftermath of last year’s law enforcement efforts that removed infrastructure.
“There are also significant similarities between Smokeloader and Coffeeloader, with the former distributing the latter, but the exact relationship between the two malware families is not yet clear,” the company said.
The development is underway as Seqrite Labs details a phishing email campaign to kickstart a multi-stage infection chain that drops information-stolen malware called Snake Keylogger.
It also advertises a cracked version of TradingView following a cluster of activities targeted at users engaged in cryptocurrency trading via Reddit posts, and tricks users into installing steel such as Lumma, Atomic on Windows and Macos systems.
Source link
