CoffeeLoader is a sophisticated malware identified by cybersecurity researchers that downloads and executes secondary payloads while stealthily bypassing security measures. Similar in its behavior to SmokeLoader, it utilizes a packer named Armoury, which runs code on the GPU, complicating analysis. Aimed at evading endpoint protection, CoffeeLoader incorporates techniques like domain generation algorithms for resilience against command-and-control channel disruptions. Its infection sequence involves a dropper that establishes persistence and elevates privileges, enhancing its ability to deploy further malicious components.
The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products,
The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.
Central to the malware is a packer dubbed Armoury that executes code on a system's GPU to complicate analysis in virtual environments.
The main module implements numerous techniques to evade detection by antivirus (AV) and Endpoint Detection and Response (EDRs) including call stack spoofing.
Collection
[
|
...
]