Zscaler ThreatLabz has identified CoffeeLoader, a sophisticated malware loader that emerged in September 2024. Designed to deploy second-stage payloads while evading detection by endpoint security products, CoffeeLoader utilizes advanced evasion techniques, including GPU-based code execution, call stack spoofing, and Windows fiber manipulation.

CoffeeLoader

CoffeeLoader’s Architecture

Packer (Armoury)

  • GPU-Based Protection: Uses the GPU for executing decryption routines, making reverse engineering difficult in virtualized environments.
  • Disguise Tactics: Impersonates legitimate ASUS software (Armoury Crate), hijacking its exports to mask malicious code.
  • Technical Insight: The malware performs XOR operations with hardcoded strings to generate decryption keys, leveraging OpenCL for cross-platform compatibility.

Dropper

  • Copies itself to the %PROGRAMDATA% or %LOCALAPPDATA% folders, depending on privilege levels.
  • Persistence Mechanisms:
    • Uses Windows Task Scheduler to create tasks that execute on login or at regular intervals (every 10 minutes in latest versions).
    • Bypasses User Account Control (UAC) via COM interfaces if elevated privileges are not available.
  • Resolves API functions by hash to avoid signature-based detection.

Stager

  • Process Injection: Launches a suspended dllhost.exe process and injects the main CoffeeLoader module using low-level Windows APIs.
  • Custom Hashing Algorithm: Uses a unique hashing function (DJB2 for the main module) to resolve function addresses dynamically.

Main Module

  • Call Stack Spoofing: Forges stack frames to mask the origin of function calls, bypassing detection tools that analyze call stacks.
  • Sleep Obfuscation: Encrypts its code while idle, reducing the chance of detection by memory scanners.
    Windows Fibers: Uses fibers for lightweight multitasking to evade monitoring tools that focus on traditional threads.

Network Protocol

  • HTTPS C2 Communication: Uses encrypted POST requests with a spoofed user-agent mimicking an iPhone to blend with legitimate traffic.
  • Certificate Pinning: Prevents man-in-the-middle (MitM) attacks, ensuring secure communication with C2 servers.
  • Domain Generation Algorithm (DGA): Generates new C2 domains daily, using date-based seeding to maintain communication even if hardcoded domains are blocked.

Connections to SmokeLoader

  • Both malware families use stagers to inject main modules into processes.
  • They generate bot IDs based on system information like the computer name and volume serial number.
  • Both employ RC4 encryption for C2 traffic and scheduled tasks for persistence.
  • While CoffeeLoader shares many traits with SmokeLoader, it’s unclear whether it’s an upgraded version or an independent malware family.

The Bottom Line

Security teams should improve their detection capabilities, focusing on GPU activity monitoring, unusual process injections, and encrypted C2 traffic patterns to counteract CoffeeLoader’s tactics.

IOC

  • https://freeimagecdn[.]com/
  • https://mvnrepo[.]net/
  • C930eca887fdf45aef9553c258a403374c51b9c92c481c452ecf1a4e586d79d9
  • 8941b1f6d8b6ed0dbc5e61421abad3f1634d01db72df4b38393877bd111f3552
  • 5538b88eb2effa211a9c324b001e02802b7ccd0008b3af9284e32ab105dc9e6f
  • 70fafd3fefca2fd4a061d34e781136f93a47d856987832041d3c703658d60fc1
  • Bc1b750338bc3013517e5792da59fba0d9aa3965a9f65c2be7a584e9a70c5d91
  • 5fcd2e12723081f512fa438301690fb310610f4de3c191c7c732d56ece7f0499

Source: hxxps[://]www[.]zscaler[.]com/blogs/security-research/coffeeloader-brew-stealthy-techniques

Follow us on X and Linkedin for the latest cybersecurity news