- Security scientists Zscaler found a new loader used in different infoing campaigns
- Coffeeloader uses multiple tricks to bypass safety and release further payload
- Interestingly enough it performs the code on the system’s gpu
Security researchers have found a dangerous new malware loader that can avoid traditional endpoint detection and response (EDR) solutions in a smart and regarding manner.
Scientists from Zscaler Threatlabz said they recently observed Coffeeloader in the wild and described it as a “sophisticated” malware loader.
For detection evasion, Coffeloader uses a number of features including call -Stack -spoofing, sleep musicization and the use of Windows fibers, the researchers said. Ring -Stables can be described as a digital breadcrumm trail that detects, which works a program that has called. Security tools can use call stacks to track program behavior and detect suspicious activity. However, Coffeloader hides its traces by forge a fake bread crumbs.
Armory
A Malware -Loader task is usually to infiltrate a system and perform or download additional malware, such as ransomware or spyware. It acts as the initial infection step, which often avoids detection of safety tools before implementing the main load.
Sleep blades make Malwares code and data encrypted while the tool is in a sleep mode – therefore Malwares are not encrypted artifacts only present in memory when the code is performed.
Zscaler describes Windows fibers as a “unclear and lightweight mechanism for implementing multitasking user mode.”
Fibers allow a single threat to have multiple execution contexts (fibers) that the application can switch between manually. Coffeloader uses Windows fibers to implement sleep music.
But perhaps the most worrying aspect of the loader Armory, a packer that performs the code on the system’s GPU, is hindering analysis in virtual environments.
“After the GPU has performed the feature, the decoded output buffer contains self -modifying shellcode, which is then transferred to the CPU to decrypt and perform the underlying malware,” the researchers explained.
“Threatabz has observed that these packages used to protect both smoked and coffee boiler -new loads.”
The researchers said they saw Coffeeloader being used to insert Rhadamanthy’s shellcode, which means it is inserted into infostealing campaigns.
