Cybersecurity researchers pay attention to a new complex malicious software called Coffeeode This is designed to download and perform secondary useful loads.
According to ZSCALER OPHERLABZ, shares the similarity of behavior with another known forklifts malicious programs known as Diplomat.
“The purpose of the malicious software-loading and perform useful load in the second stage, evading the detection of safety products based – Note In a technical record published this week.
“Malicious software uses numerous methods to bypass safety solutions, including a specialized package that uses GPU, reinforcement of the stack of calls, exacerbation of sleep and using Windows fibers.”
Coffeeloader, which emerged approximately in September 2024, uses the domain generation algorithm (DGA) as a backup mechanism in case the main team channels and control (C2) become unavailable.
Central for malicious software is a packer, which is called the code on the graphical processor of the system for complication of analysis under virtual conditions. It was called because it represents the legitimate A weapon box The usefulness developed by ASUS.
The sequence of infection begins with a dropper, which, among other things, tries to perform a useful DLL load, packed with weapons (“armouryaiosdk.dll” or “armourya.dll”) with high privileges, but not before trying to bypass the user account (UAC).
The drop is also intended to establish stability on the hosts using the planned assignment, which is set up to run either at the user entrance with the highest start -up or every 10 minutes. This step changes by the performance of the STAGER component, which in turn loads the main module.
“The main module implements numerous methods for eliminating antivirus (AV) and the detection and reactions of the final points (EDRS), including reinforcement of the stack of call. Sleep exacerbatedand use Windows of fibers-The Stone-Gros said.
These methods are able to forge Vocation of the package by obscures origin With the call of the function and the embarrassment of useful load when it is in a state of sleep, allowing it to reach the safety software system.
The ultimate goal of the Coffeeloader is to contact the C2 server via HTTPS to get malicious software in the next step. These include commands for introduction and execution Rhadamanthys Shellcode.
ZSCALER said he determined a number of common rhythms between the loader and the diplomatic source code, increasing the possibility that this could be the next basic iteration of the latter, especially in the following A., and after A. Efforts of law enforcement agencies Last year, which removed its infrastructure.
“There is also a noticeable similarity between the diplomatic and the cathedral, and the first spreads the second, but the exact connection between the two families is not clear yet,” the company said.
Development happens as a SEQRITE laboratory minute Phishing A snake key.
It also follows Another cluster of activity This is aimed at users engaged in cryptocurrency trading via Reddit Posts, advertising versions of Tradingview to cheat users to install thefts such as Lumma and Atomic in Windows and Macos Systems.
