Related Families: SmokeLoader, Rhadamanthys
Executive Summary
CoffeeLoader is a relatively new malware loader that surfaced around September 2024, designed to deploy second-stage payloads while evading endpoint security through advanced techniques like GPU-based packing, call stack spoofing, and sleep obfuscation. Distributed via SmokeLoader, this malware showcases a blend of stealth and technical prowess that challenges traditional detection methods.
Key Takeaways
- CoffeeLoader leverages a GPU-based packer named Armoury to execute code, complicating analysis in virtualized environments.
- The malware employs call stack spoofing and sleep obfuscation to hide its activities from security tools.
- It utilizes Windows fibers to enhance its evasion capabilities, particularly during idle states.
- Observed in conjunction with SmokeLoader, CoffeeLoader may represent an evolution of existing loader families.
What is CoffeeLoader?
CoffeeLoader is a relatively new malware loader that surfaced around September 2024. CoffeeLoader is engineered to deliver second-stage payloads while slipping past endpoint-based security solutions. Its arsenal of evasion techniques, including a GPU-executing packer, call stack spoofing, sleep obfuscation, and Windows fibers, makes it a significant concern for malware analysts and organizational leaders alike. ZScaler reported on CoffeeLoader.
At the heart of CoffeeLoader’s stealth is its packer, dubbed Armoury, which offloads code execution to the system’s GPU. This unconventional approach hinders analysis in sandbox environments, as the decoded output buffer contains self-modifying shellcode that is passed back to the CPU for decryption and execution. By leveraging the GPU, CoffeeLoader exploits a less-monitored execution path, challenging security tools that focus on traditional CPU-based activity.
Call stack spoofing further bolsters its defenses. CoffeeLoader constructs synthetic stack frames, using gadgets like “jmp rbx” (identified by the byte pattern 0x23, 0xFF) and origin frames such as ntdll.RtlUserThreadStart+0x21 and kernel32.BaseThreadInitThunk+0x28. This technique masks the malware’s presence in call stack traces, a common detection method for endpoint security software. When a function like RtlRandomEx is invoked, the resulting stack omits any reference to CoffeeLoader, leaving analysts with a trail that leads nowhere.
Sleep obfuscation adds another layer of complexity. During idle periods, CoffeeLoader encrypts its code and data in memory, ensuring that unencrypted artifacts are only present during active execution. This tactic thwarts memory-scanning tools that rely on static signatures. To operate effectively in processes with Control Flow Guard (CFG) enabled CoffeeLoader checks for CFG using NtQueryInformationProcess with the ProcessControlFlowGuardPolicy parameter. If CFG is active, it bypasses restrictions by adding exceptions via NtSetInformationVirtualMemory, targeting specific functions to maintain its operational freedom.
The use of Windows fibers, a lightweight multitasking mechanism, enhances its sleep obfuscation strategy. By switching execution contexts within a single thread, CoffeeLoader minimizes its footprint, making it harder for security solutions to pinpoint malicious behavior. This obscure feature, rarely seen in legitimate software, underscores the malware’s sophisticated design.
CoffeeLoader’s distribution via SmokeLoader hints at a deeper connection between the two families. Both share behavioral traits, such as self-modifying shellcode, as well as source-code-level similarities. While the exact relationship remains unclear, CoffeeLoader’s capabilities suggest it’s a real threat tailored for persistence and evasion. PolySwarm analysts consider CoffeeLoader to be an emerging threat.
IOCs
PolySwarm has multiple samples of CoffeeLoader.
8941b1f6d8b6ed0dbc5e61421abad3f1634d01db72df4b38393877bd111f3552
5538b88eb2effa211a9c324b001e02802b7ccd0008b3af9284e32ab105dc9e6f
You can use the following CLI command to search for all CoffeeLoader samples in our portal:
$ polyswarm link list -f CoffeeLoader
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
