DIGITAL LIFE

CoffeeLoader: the new and sophisticated malware that imitates the popular Asus Armoury Crate tool

Cyberattacks are gaining new dimensions with an unexpected threat: the use of GPUs (graphics processing units) to execute malicious code. Researchers at Zscaler have recently discovered a new malware called CoffeeLoader, which appears disguised as legitimate software, imitating the popular Asus Armoury Crate tool. This advance in cyberattack technique worries experts due to its evasion capacity and high sophistication.

CoffeeLoader is a type of malware known as a “loader”, used by attackers to distribute other malicious code. In this specific case, the malware is inserted into a modified version of the Armoury Crate application. For those who don’t know, Armoury Crate is a tool widely used by owners of Asus computers and equipment to manage the functions of devices such as laptops, graphics cards and portable gaming devices.

After downloading the compromised version of the application, CoffeeLoader replaces some of the legitimate files with encrypted malicious code. This is where the innovation comes in: instead of relying solely on the CPU, the malware uses the GPU to decrypt the information. This process is carried out using the OpenCL library, a technology compatible with most GPUs available on the market. After decryption, the code is sent to the CPU, where it is executed.

One of the most impressive — and worrying — aspects of CoffeeLoader is its ability to evade traditional detection methods. To do this, the malware uses a combination of sophisticated techniques:

-Encryption at rest: While not executing, the malware’s code and data remain encrypted, making its detection virtually impossible.

-Call stack spoofing: This method hides traces of the execution of the malicious code, fooling monitoring tools.

-Using Windows Fibers: This mechanism allows you to switch between tasks in the same process almost imperceptibly, eliminating the need for the default Windows task scheduler.

With these tactics, CoffeeLoader is able to operate stealthily, slipping under the radar of standard antivirus software and security systems.

Perhaps the most alarming thing about CoffeeLoader is the ease with which it distributes its code. According to investigations, at least one fraudulent website has already been identified offering downloads of a compromised version of Armoury Crate. It has been observed that this site appears on the first pages of search engines, which significantly increases the risk of a more distracted user being tricked.

How to protect yourself?...To avoid falling victim to this type of attack, it is essential that you only download applications from trusted sources, such as the manufacturers' official websites. In addition, keep your operating system and security software always updated to protect your device against the latest threats.

The emergence of CoffeeLoader is a clear warning that cyber threats are becoming increasingly creative and difficult to detect. Ensuring safe practices when interacting online is more essential than ever.

mundophone