本帖最后由 00006666 于 2025-4-23 16:50 编辑
这说的不是某种特殊加壳方式,利用GPU来绕过基于虚拟环境的分析吗,怎么变成杀软不扫描GPU、利用GPU藏身绕杀软扫描了?
https://securityaffairs.com/176046/malware/coffeeloader-is-a-sophisticated-malware.html
- “CoffeeLoader implements a number of features to defeat endpoint security software such as call stack spoofing, sleep obfuscation, and the use of Windows fibers.” reads the report published by Zscaler. “The loader leverages a packer, which we named Armoury, that executes code on a system’s GPU to hinder analysis in virtual environments.”
- The samples are protected by a unique malware packer that utilizes a system’s GPU to execute code, making analysis in virtual environments more difficult. Experts have been tracking this packer as Armoury because it impersonates the legitimate Armoury Crate utility developed by ASUS.
这个病毒实际的运行还是在内存来的,只是壳在GPU。目的是绕过malware sandboxes。
- The CoffeeLoader dropper executes an installation routine, with multiple variants implementing different functionalities. One version copies the packed DLL (ArmouryAIOSDK.dll) to the user’s temp directory and executes it via rundll32.exe, using either direct execution (with elevated privileges) or a UAC bypass (if not elevated). The researchers noted that this variant does not maintain persistence. Other versions achieve persistence by copying the DLL to %PROGRAMDATA% (with elevated privileges) or %LOCALAPPDATA% (without), setting restrictive file permissions, and scheduling a task (AsusUpdateServiceUA) via schtasks.exe or the Windows ITaskScheduler COM interface. Older versions schedule execution on user logon, while recent ones set it to run every 10 minutes.Once installation is complete, the dropper executes CoffeeLoader’s stager component and exits.The malware stager creates a suspended dllhost.exe process and injects the main CoffeeLoader module using NtAllocateVirtualMemory, NtProtectVirtualMemory, and NtWriteVirtualMemory. It modifies the thread context to execute the injected code before terminating.The main module resolves API functions using the DJB2 algorithm and employs advanced evasion techniques, including call stack spoofing, sleep obfuscation, and Windows fibers.“The main CoffeeLoader module also resolves API function addresses by hash, but uses the DJB2 algorithm.” continues the report. “The main module implements numerous techniques to evade detection by antivirus (AV) and Endpoint Detection and Response (EDRs) including call stack spoofing, sleep obfuscation, and leveraging Windows fibers.”CoffeeLoader supports several commands that enable it to inject and execute shellcode, executables, and DLLs. These commands include sleeping (0x58), injecting and running shellcode in a specified process (0x87), updating the sleep obfuscation method and timeout (0x89), writing an executable payload to the user’s temporary directory and running it (0x91), and writing a DLL payload to the temporary directory and executing it using rundll32.exe (0x93).The malware supports call stack spoofing to mask its function call origins, evading security tools that analyze stack traces. It sets up synthetic stack frames and maps system calls dynamically, avoiding user-mode hooks. For sleep obfuscation, CoffeeLoader encrypts its memory while inactive, decrypting only during execution. It also bypasses Windows Control Flow Guard (CFG) by modifying memory permissions and adding exceptions for key system functions.ThreatLabz identified several similarities between CoffeeLoader and SmokeLoader, suggesting a possible connection between the two malware. Both malware families use a stager to inject a main module into another process, generate a bot ID based on system details, and create a mutex name linked to the bot ID. They resolve imports using hashing, store internal variables in a global structure, and encrypt network traffic with hardcoded RC4 keys. The two malware also rely heavily on low-level Windows APIs and modify file attributes to remain hidden. They use scheduled tasks for persistence, with CoffeeLoader’s latest version running tasks every 10 minutes without elevated privileges. In December 2024, a new SmokeLoader version was allegedly announced, sharing many evasion techniques with CoffeeLoader. However, it remains unclear whether CoffeeLoader is an evolution of SmokeLoader or if the similarities are coincidental.“CoffeeLoader joins a crowded market of malware loaders. However, many of the features implemented by the author enable CoffeeLoader to contend with the competition. The loader provides advanced features that are beneficial to threat groups that strive to evade detection from AVs, EDRs, and malware sandboxes.” concludes the report that includes Indicators Of Compromise (IOCs). “The CoffeeLoader developer has integrated innovative offensive red team proof-of-concept ideas such as call stack spoofing, sleep obfuscation, and Windows fibers into the loader. There are also notable similarities between SmokeLoader and CoffeeLoader, with the former distributing the latter, but the exact relationship between the two malware families is not yet clear.”
|
发表于 2025-4-23 12:46:37
