Date: 03/27/2025
Severity: Medium
Summary
"CoffeeLoader: A Brew of Stealthy Techniques" is a sophisticated malware loader designed to deploy secondary payloads while evading detection by endpoint security software. It employs advanced techniques such as call stack spoofing, sleep obfuscation, and Windows fibers to avoid analysis. The loader uses a custom packer, Armoury, which executes code on the system's GPU, making analysis in virtual environments more difficult. Additionally, CoffeeLoader incorporates a domain generation algorithm (DGA) for fallback communication if primary channels are blocked and uses certificate pinning to prevent TLS man-in-the-middle attacks. It has been observed deploying Rhadamanthys shellcode.
Indicators of Compromise (IOC) List
URL/Domain | https://freeimagecdn.com/ https://mvnrepo.net/ |
Hash |
c930eca887fdf45aef9553c258a403374c51b9c92c481c452ecf1a4e586d79d9
8941b1f6d8b6ed0dbc5e61421abad3f1634d01db72df4b38393877bd111f3552
5538b88eb2effa211a9c324b001e02802b7ccd0008b3af9284e32ab105dc9e6f
70fafd3fefca2fd4a061d34e781136f93a47d856987832041d3c703658d60fc1
bc1b750338bc3013517e5792da59fba0d9aa3965a9f65c2be7a584e9a70c5d91
5fcd2e12723081f512fa438301690fb310610f4de3c191c7c732d56ece7f0499 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | domainname like "https://freeimagecdn.com/" or siteurl like "https://freeimagecdn.com/" or domainname like "https://mvnrepo.net/" or siteurl like "https://mvnrepo.net/" |
Detection Query 2 |
sha256hash IN ("8941b1f6d8b6ed0dbc5e61421abad3f1634d01db72df4b38393877bd111f3552","5538b88eb2effa211a9c324b001e02802b7ccd0008b3af9284e32ab105dc9e6f","70fafd3fefca2fd4a061d34e781136f93a47d856987832041d3c703658d60fc1","c930eca887fdf45aef9553c258a403374c51b9c92c481c452ecf1a4e586d79d9","bc1b750338bc3013517e5792da59fba0d9aa3965a9f65c2be7a584e9a70c5d91","5fcd2e12723081f512fa438301690fb310610f4de3c191c7c732d56ece7f0499") |
Reference:
https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-techniques#introduction