Zscaler ThreatLabz has uncovered CoffeeLoader, a sophisticated malware family capable of bypassing detection mechanisms and deploying second-stage payloads. Originating in September 2024, CoffeeLoader employs advanced evasion techniques like GPU execution, call stack spoofing, and sleep obfuscation. It is primarily distributed through SmokeLoader and can utilize DGA for command-and-control communication. Affected: malware, cybersecurity sector
Keypoints :
- CoffeeLoader is a sophisticated malware loader that downloads and executes second-stage payloads.
- It employs advanced evasion techniques such as call stack spoofing and sleep obfuscation.
- The malware includes a packer called Armoury, which executes code using a system’s GPU.
- CoffeeLoader uses a domain generation algorithm (DGA) as a fallback for C2 communications.
- It has been observed deploying Rhadamanthys shellcode.
- The malware leverages both UUID and task scheduling for persistence.
- Many features of CoffeeLoader overlap with those of its predecessor, SmokeLoader.
MITRE Techniques :
- T1203: Exploit Public-Facing Application – CoffeeLoader exploits security weaknesses to gain access.
- T1547.002: Windows Service – Establishes persistence using Windows Task Scheduler.
- T1055: Process Injection – Injects into a suspended process using the DLL method.
- T1066: Process API Abuse – Uses API functions for various malicious activities.
- T1070.001: File Deletion – Attempts to hide itself by altering file attributes.
- T1045: Software Packing – Utilizes the Armoury packer to obfuscate payloads.
Indicator of Compromise :
- [URL] https://freeimagecdn[.]com/CoffeeLoader C2
- [URL] https://mvnrepo[.]net/CoffeeLoader C2
- [SHA256] c930eca887fdf45aef9553c258a403374c51b9c92c481c452ecf1a4e586d79d9
- [SHA256] 8941b1f6d8b6ed0dbc5e61421abad3f1634d01db72df4b38393877bd111f3552
- [SHA256] 5538b88eb2effa211a9c324b001e02802b7ccd0008b3af9284e32ab105dc9e6f
Full Story: https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-techniques