Never underestimate hackers’ ingenuity. I learned this very early on in my hacking career, and it’s as accurate now as it was in the late 1980s. What’s more, this mantra unfortunately applies to hackers of the criminal variety as well as those who do so much good work. Remember, hacking is not a crime until it is. A case in point is when it comes to the deployment of infostealer malware. You know, the software that is being used by so many cybercriminals to compromise credentials, leading to account theft as well as vast quantities of stolen passwords being traded on the dark web. The latest example can be found by hackers using the CoffeeLoader family that executes code using the system GPU in order to evade detection.
How CoffeeLoader Hackers Steal Your Password Via Your GPU
Graphics cards and the software surrounding them are not a new target for cybercriminals. Whether it’s security vulnerabilities in GPU display drivers, or virtual GPU software, you can bet your bottom dollar that hackers are looking out for ways to exploit this powerful part of your system. Infostealer malware attacks that use the GPU are not something I have come across before, at least not to my failing old-man memory. However, CoffeeLoader hackers seem to be employing just this methodology to launch attacks.
In a March 26 posting, Brett Stone-Gross, the senior director of threat intelligence at Zscaler, detailed precisely how the CoffeeLoader malware family is being deployed with the help of your graphics card.
The whole purpose of the CoffeeLoader malware is to evade detection and bypass security protections in order to download and execute second-stage payloads, the infostealers in question. CoffeeLoader achieves this by employing a sophisticated packer utilizing the GPU as well as call stack spoofing and sleep obfuscation. “The loader leverages a packer, which we named Armoury,” Stone-Gross said, “that executes code on a system’s GPU to hinder analysis in virtual environments.”
The use of packers is a typical behavior of malware families, but the unpacking of the samples contained is rarely mentioned in security reports because, well, it’s pretty boring and largely of little importance in the broader scheme of things. This is not the case with CoffeeLoader thanks to the clearly distinguishable packer used that can leverage the GPU in such a way as to execute initial malware code to complicate the threat analysis process. Zscaler ThreatLabz has named this packer Armoury “because it impersonates the legitimate Armoury Crate utility created by ASUS.”
Zscaler has said that CoffeeLoader has been observed being deployed with SmokeLoader, sold as a crimewave kit that includes password-stealing as part of the package. Smoke was subject to law enforcement disruption in 2024, having been active for many years, but apparently, that hasn’t killed it off.
