Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Dangerous new CoffeeLoader malware executes on your GPU to get past security tools

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

  • Security researchers Zscaler found a new loader used in different infostealing campaigns
  • CoffeeLoader uses multiple tricks to bypass security and drop additional payloads
  • Interestingly enough, it executes the code on the system’s GPU

Security researchers have found a dangerous new malware loader that can evade traditional endpoint detection and response (EDR) solutions in a clever and concerning way.

Researchers from Zscaler ThreatLabz said they recently observed CoffeeLoader in the wild, describing it as a “sophisticated” malware loader.

For detection evasion, CoffeeLoader uses a number of features, including call stack spoofing, sleep obfuscation, and the use of Windows fibers, the researchers said. Call stacks can be described as a digital breadcrumb trail that records which functions a program has called. Security tools can use call stacks to track program behavior, and detect suspicious activity. CoffeeLoader, however, hides its tracks by forging a fake breadcrumb trail.

Armoury

A malware loader’s task usually is to infiltrate a system and execute or download additional malware, such as ransomware or spyware. It acts as the initial infection stage, often evading detection by security tools before deploying the main payload.

Sleep obfuscation makes the malware’s code and data encrypted while the tool is in a sleep state - therefore, the malware’s unencrypted artifacts are present in memory only when the code is being executed.

Zscaler describes Windows fibers as an “obscure and lightweight mechanism for implementing user-mode multitasking.”

Fibers allow a single threat to have multiple execution contexts (fibers), which the application can switch between, manually. CoffeeLoader uses Windows fibers to implement sleep obfuscation.

But perhaps the most concerning aspect of the loader is Armoury, a packer that executes the code on the system’s GPU, hindering analysis in virtual environments.

“After the GPU executes the function, the decoded output buffer contains self-modifying shellcode, which is then passed back to the CPU to decrypt and execute the underlying malware,” the researchers explained.

“ThreatLabz has observed this packer used to protect both SmokeLoader and CoffeeLoader payloads.”

The researchers said they saw CoffeeLoader being used to deploy Rhadamanthys shellcode, meaning it is deployed in infostealing campaigns.

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.