do son 
Zscaler ThreatLabz has recently uncovered a new and sophisticated malware family named CoffeeLoader, which emerged around September 2024. This malware is designed to download and execute second-stage payloads while employing various techniques to evade detection by endpoint-based security products.
CoffeeLoader is a sophisticated malware loader with the primary purpose of deploying second-stage payloads and evading host-based detection. To achieve this, CoffeeLoader implements a range of features aimed at defeating endpoint security software, including call stack spoofing, sleep obfuscation, and the use of Windows fibers.
One of the standout features of CoffeeLoader is its use of a specialized packer, dubbed Armoury, which executes code on the system’s GPU to hinder analysis in virtual environments. According to the analysis, “The loader leverages a packer, which we named Armoury, that executes code on a system’s GPU to hinder analysis in virtual environments”. This packer often disguises itself with filenames like “ArmouryAIOSDK.dll” and “ArmouryA.dll”.
CoffeeLoader is equipped with a number of anti-detection techniques to outsmart security solutions:
- Call stack spoofing: This technique is used to forge a call stack and mask the origin of a function call, thereby evading security software that relies on call stack traces to identify suspicious behavior.
- Sleep obfuscation: CoffeeLoader employs sleep obfuscation to hide from security tools that scan memory. The malware’s code and data are encrypted while in a sleep state, ensuring that unencrypted artifacts are present in memory only during execution.
- Windows fibers: The malware leverages Windows fibers, an obscure mechanism for implementing user-mode multitasking, to evade detection, as some EDRs may not monitor or track them.
For command-and-control (C2) communications, CoffeeLoader uses the HTTPS protocol. To prevent TLS man-in-the-middle attacks, it implements certificate pinning, ensuring the authenticity of communications with the C2 server. In addition, “CoffeeLoader uses a domain generation algorithm (DGA) if the primary command and control channels are unreachable, and uses certificate pinning to prevent TLS man-in-the-middle attacks”.
Zscaler ThreatLabz has also noted several similarities between CoffeeLoader and SmokeLoader, including the use of a stager to inject a main module into another process, similar methods for generating a bot ID, and the encryption of network traffic using hardcoded RC4 keys. While CoffeeLoader shares traits with SmokeLoader, the exact relationship between the two malware families remains unclear.
CoffeeLoader represents a significant addition to the malware landscape, showcasing advanced features designed to evade detection. Its use of innovative techniques, such as GPU-powered evasion and call stack spoofing, poses a substantial challenge to existing security measures. As the report concludes, “CoffeeLoader joins a crowded market of malware loaders.”
