Grounds for concern: new malware CoffeeLoader surfaces
A new and highly evasive malware family, dubbed CoffeeLoader, has been uncovered. First detected in the wild around September 2024, the malware is designed to download and execute second-stage payloads while evading detection by endpoint-based security products.
Malware
CoffeeLoader, which has been uncovered by Zscaler ThreatLabz, is a new sophisticated malware loader designed to deploy second-stage payloads and evade host-based detection. The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers. The malware is distributed via SmokeLoader, ThreatLabz observed, and both malware families share some behavioral similarities.
Spoofing & sleep obfuscation
Once installed, CoffeeLoader relies on a range of covert tactics to stay under the radar. One of its standout features is the use of a custom packer, dubbed Armoury, which executes code on the system’s GPU. This unusual technique complicates analysis, especially in virtualized environments where GPU behavior is often limited or emulated.
To further frustrate detection efforts, CoffeeLoader uses call stack spoofing and sleep obfuscation: techniques that disguise the malware’s true execution path and make timing-based detection more difficult.
It also leverages Windows fibers, an obscure and lightweight mechanism for implementing user-mode multitasking. They allow a single thread to have multiple execution contexts, known as fibers, which can be manually switched between by the application rather than the Windows scheduler. CoffeeLoader has an option to use Windows fibers to implement sleep obfuscation as yet another way to evade detection, since some EDRs may not directly monitor or track them.
If its primary command-and-control (C2) servers are unreachable, CoffeeLoader falls back on a domain generation algorithm (DGA) to locate alternate servers. It also implements certificate pinning to guard its TLS traffic from man-in-the-middle (MITM) attacks. ThreatLabz reports that CoffeeLoader has already been used to deploy Rhadamanthys shellcode, signaling that it’s not just evasive, but actively dangerous.
Similarities with SmokeLoader
CoffeeLoader shares a striking number of technical similarities with SmokeLoader, raising questions about a potential shared lineage or codebase. Both malware families use a stager to inject a main module into another process, generate a bot ID from system-specific information, and create a mutex based on that ID. They also resolve API imports via hashing, CoffeeLoader using DJB2 in its main module, and SmokeLoader in its stager, and store pointers and variables in a global structure.
Network communications in both are encrypted using hardcoded RC4 keys, and they rely heavily on low-level Windows APIs like Rtl, Zw, and Nt functions. Persistence is achieved through scheduled tasks running every 10 minutes, especially when running without elevated privileges. While a new version of SmokeLoader was reportedly announced in December 2024 with features also seen in CoffeeLoader, it remains too early to confirm whether CoffeeLoader is a direct evolution of SmokeLoader or an independently developed lookalike, ThreatLabz notes.
Developments
CoffeeLoader enters an already competitive landscape of malware loaders, but its advanced evasion capabilities set it apart. By integrating techniques typically seen in offensive security research like call stack spoofing, sleep obfuscation, and Windows fibers, the developer has crafted a tool well-suited for stealthy operations. While its similarities to SmokeLoader suggest a possible connection, the nature of their relationship remains uncertain, leaving researchers watching closely for further developments.
