- Zscaler security researchers found a new charger used in different info efficient campaigns
- Coffeeloader uses multiple tricks to avoid security and release additional useful loads
- Interestingly, execute the code in the system GPU
Security researchers have found a new dangerous malware charger that can evade traditional ending and response solutions (EDR) in an intelligent and worrying way.
Zscaler Amenselabz researchers said they recently observed Coffeeloader in nature, describing it as a “sophisticated” malware charger.
For detection evasion, Coffeeloader uses a series of characteristics, including falsification of the call pile, sleep obfuscation and the use of Windows fibers, the researchers said. Call batteries can be described as a digital bread from bread of bread that records what functions a program has called. Safety tools can use call batteries to track program behavior and detect suspicious activities. Coffeeloader, however, hides its footprints by forging a false path of bread from bread.
Arsenal
The task of a malware charger is generally infiltrating a system and running or downloading additional malware, such as ransomware or spyware. It acts as the initial infection stage, often evading the detection of security tools before implementing the main payload.
Sleep obfuscation makes the malware code and data encrypted while the tool is in a state of sleep; Therefore, artifacts without encrypting malware are present in memory only when the code is executed.
Zscaler describes Windows fibers as a “dark and light mechanism to implement multitasking in user mode.”
The fibers allow a single threat to have multiple execution contexts (fibers), which the application can change, manually. Coffeeloader uses Windows fibers to implement sleep obfuscation.
But perhaps the most worrying aspect of the charger is Armory, a packer who executes the code in the system GPU, hindering the analysis in virtual environments.
“After the GPU executes the function, the decoded output buffer contains a self -modification shell code, which is then transferred to the CPU to decipher and execute the underlying malware,” the researchers explained.
“Menazlabz has observed that this packer used to protect the useful loads of SmoKeloader and Coffeelader.”
The researchers said they saw Coffee Co -Elader accustomed to deploy the Shadamanthys code of Rhadamanthys, which means that it is displayed in info efficient campaigns.
