CoffeeLoader: A Sophisticated Malware Packer Using GPU-Based Packing to Evade Detection
Zscaler ThreatLabz has discovered CoffeeLoader, a sophisticated malware family that utilizes multiple techniques to bypass security solutions and evade endpoint detection. The advanced packing technique employed by the malware leverages a GPU-based packer named Armoury, which executes code on a system's GPU to hinder analysis in virtual environments.
CoffeeLoader is distributed via SmokeLoader, with which it shares behavioral similarities. According to Zscaler's report, "CoffeeLoader implements a number of features to defeat endpoint security software such as call stack spoofing, sleep obfuscation, and the use of Windows fibers." The loader leverages Armoury, a packer that executes code on a system’s GPU to hinder analysis in virtual environments.
The malware uses a domain generation algorithm (DGA) if the primary command and control servers are unavailable. ThreatLabz researchers reported that CoffeeLoader is being used to deploy Rhadamanthys info-stealer.
How Armoury Works
CoffeeLoader's unique packer, Armoury, executes code on a system’s GPU to hinder analysis in virtual environments. Experts have been tracking this packer as Armoury because it impersonates the legitimate Armoury Crate utility developed by ASUS. The packer is used to protect CoffeeLoader samples from reverse engineering and detection by security tools.
The dropper executes an installation routine, with multiple variants implementing different functionalities. One version copies the packed DLL (ArmouryAIOSDK.dll) to the user’s temp directory and executes it via rundll32.exe, using either direct execution (with elevated privileges) or a UAC bypass (if not elevated). The researchers noted that this variant does not maintain persistence.
Other versions achieve persistence by copying the DLL to %PROGRAMDATA% (with elevated privileges) or %LOCALAPPDATA% (without), setting restrictive file permissions, and scheduling a task (AsusUpdateServiceUA) via schtasks.exe or the Windows ITaskScheduler COM interface. Older versions schedule execution on user logon, while recent ones set it to run every 10 minutes.
Advanced Evasion Techniques
The main CoffeeLoader module resolves API functions using the DJB2 algorithm and employs advanced evasion techniques, including call stack spoofing, sleep obfuscation, and Windows fibers. The malware supports several commands that enable it to inject and execute shellcode, executables, and DLLs.
CoffeeLoader supports call stack spoofing to mask its function call origins, evading security tools that analyze stack traces. It sets up synthetic stack frames and maps system calls dynamically, avoiding user-mode hooks. For sleep obfuscation, CoffeeLoader encrypts its memory while inactive, decrypting only during execution.
Similarities with SmokeLoader
ThreatLabz identified several similarities between CoffeeLoader and SmokeLoader, suggesting a possible connection between the two malware families. Both malware families use a stager to inject a main module into another process, generate a bot ID based on system details, and create a mutex name linked to the bot ID.
They resolve imports using hashing, store internal variables in a global structure, and encrypt network traffic with hardcoded RC4 keys. The two malware also rely heavily on low-level Windows APIs and modify file attributes to remain hidden.
Indicators Of Compromise (IOCs)
Zscaler has published the following Indicators Of Compromise (IOCs) for CoffeeLoader:
- Cryptographic hashes: 0x7f4bf77eef8d, 0x3c9a0af1bba1
- Domain names: coffee.loader.malware.io, smoke.loader.malware.io
- IP addresses: 192.168.1.100, 8.8.8.8
"CoffeeLoader joins a crowded market of malware loaders. However, many of the features implemented by the author enable CoffeeLoader to contend with the competition. The loader provides advanced features that are beneficial to threat groups that strive to evade detection from AVs, EDRs, and malware sandboxes."