The dangerous CoffeeLoader program has been discovered – a malware loader that hides from antivirus software using a set of clever methods, including running on a video card. It was discovered by cybersecurity experts at Zscaler ThreatLabz.
Image source: threatlabz.zscaler.com
To remain undetected, CoffeeLoader uses several tricks at once: it replaces the call stack, uses sleep obfuscation, and uses Windows user threads. The call stack can be described as “breadcrumbs” that record what functions the program has called. Security tools check them to track program behavior and detect malicious activity, but CoffeeLoader replaces these “breadcrumbs”, masking its presence.
Typically, the job of a malware loader is to infiltrate a system and download malicious programs, such as ransomware or spyware. Sleep obfuscation helps to make the malware code and data encrypted while it is inactive, i.e. in a sleep state. In unencrypted form, fragments of the malicious code appear in memory only when it is executed. To do this, the program uses Windows user threads (fibers) – execution contexts that are switched between manually.
However, the most worrisome aspect of CoffeeLoader is its Armoury packer, which runs on the GPU, making it difficult to analyze in virtual environments. “After the GPU executes the function, the decoded output buffer contains self-modifying shellcode, which is then passed to the CPU for decryption and execution of the main malware,” Zscaler ThreatLabz reported. This packer is used to protect the payloads of SmokeLoader and CoffeeLoader. In practice, CoffeeLoader has been used to deploy the Rhadamanthys shellcode in information theft campaigns.