- Zscaler security researchers have found a new charger used in different infostoritration campaigns
- CoffeSeloader uses several tips to get around safety and delete additional useful loads
- Interesting thing, he executes the code on the GPU of the system
Security researchers have found a new dangerous malicious software charger that can escape traditional detection and termination points (EDR) solutions in an intelligent and worrying manner.
Researchers from Zscaler Threatlabz said they had recently observed Coffeeoader in nature, describing it as a “sophisticated” malware.
For the detection escape, Caodeloader uses a number of features, in particular the usurpation of call batteries, sleeping sleep and the use of window fibers, the researchers said. Call batteries can be described as a digital breadcrumbing path that operates that a program has called. Safety tools can use call batteries to monitor program behavior and detect suspicious activity. Coffeeloader, however, hides his traces by forging a false breadcrumbs.
Arsenal
The task of a malicious charger is generally to infiltrate a system and execute or download additional malware, such as ransomware or spy software. It acts as the initial infection step, often eluding detection by safety tools before deploying the main payload.
Sleep obscure makes the code and data of the malware encrypted while the tool is in a sleep state – therefore, the non -encrypted artifacts of the malware are only present when the code is executed.
Zscaler describes Windows fibers as a “dark and light mechanism to implement multitasking in user mode”.
The fibers allow a single threat to have several execution contexts (fibers), in which the application can switch manually. CoffeSeloader uses window fibers to implement sleep obscure.
But perhaps the most worrying aspect of the charger is armory, a packer who performs the code on the GPU of the system, hampering analysis in virtual environments.
“Once the GPU has executed the function, the decoded output stamp contains self-modifying Shellcode, which is then transferred to the CPU to decipher and execute underlying malware,” explained the researchers.
“Kenenglabz observed this packer used to protect useful charges Smokeloader and Coffeeoader.”
The researchers said they had seen Coffeeloder were used to deploy Rhadamanthys Shellcode, which means that it is deployed in infostability campaigns.
