A newly discovered malware loader called CoffeeLoader has recently come to light, showcasing its ability to deploy second-stage payloads while circumventing endpoint security measures. Researchers at Zscaler ThreatLabz have been diligently tracking this malware since its emergence in September 2024, noting its collaboration with SmokeLoader.
Uniquely, CoffeeLoader utilizes various techniques to avoid detection, including the employment of Armoury, a GPU-based packer that poses as ASUS’ Armoury Crate utility, complicating analysis in virtual environments. It also incorporates a call stack spoofing mechanism to obscure the source of function calls, reminiscent of strategies seen in BokuLoader. Additionally, the malware employs sleep obfuscation by encrypting its memory state when idle to evade security scans.
Once CoffeeLoader is installed, its dropper copies the payload to specific directories based on user privileges. In instances where administrative rights are present, the malware establishes persistence using the Windows Task Scheduler. Recent versions of CoffeeLoader have been observed creating scheduled tasks to run every 10 minutes, a change from older iterations that ran every 30 minutes or at logon.
The stager component of CoffeeLoader injects the main module into a suspended system process, adjusting thread execution to ensure the malware operates undetected. Moreover, the main module enhances obfuscation by utilizing Windows fibers, a less monitored multitasking mechanism.
Communication with command-and-control (C2) servers occurs through HTTPS, with CoffeeLoader adopting a hardcoded user agent to mimic an iPhone for added disguise. To prevent interception, the malware implements certificate pinning and supports two primary request message types: registration and task retrieval.
Upon registration, CoffeeLoader obtains a unique bot ID before soliciting tasks, which may include shellcode injection, deploying executables, or adjusting sleep obfuscation settings. This sophisticated malware marks a notable advancement in design, blending traditional evasion tactics with GPU-based encryption and intricate persistence mechanisms.
According to Zscaler, CoffeeLoader offers advanced features that are advantageous for threat actors seeking to outmaneuver antivirus software, endpoint detection and response (EDR) solutions, and malware sandboxes. While similarities between SmokeLoader and CoffeeLoader have been observed, the exact relationship between the two malware families remains unclear.
Security experts are closely monitoring the development and utilization of CoffeeLoader in cybercriminal activities to better understand its capabilities and potential impact. As cyber threats continue to evolve, staying vigilant against such sophisticated malware remains critical in safeguarding digital assets and networks.