⚠️ Overview

CoffeeLoader is a shellcode-based malware loader first publicly documented in March 2023 by Zscaler ThreatLabz, believed to be operated by a financially motivated cybercrime group tracked as TA444 (also known as the "Silent Night" group). It falls under the categories of a loader and a dropper, primarily designed to deliver second-stage payloads such as Cobalt Strike and ransomware variants.

🔧 Technical Capabilities

CoffeeLoader propagates via phishing emails containing malicious Microsoft Office documents that exploit the Follina vulnerability (CVE-2022-30190) to download the loader. It uses a custom packer to encrypt its core shellcode with AES-256, which is then decrypted in memory before executing a process hollowing attack on legitimate Windows processes like svchost.exe. Its command-and-control (C2) infrastructure relies on HTTPS with JSON-based communication, employing domain fronting and a rotating list of compromised WordPress sites as proxy C2 nodes. Persistence is achieved through a scheduled task named "CoffeeUpdate" and a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, it checks for sandbox environments by inspecting CPU core count, disk size, and debugger presence, and uses API unhooking to bypass endpoint detection.

📜 History & Notable Incidents

CoffeeLoader first appeared in January 2023, with its earliest samples detected by Zscaler's automated sandboxing system. In April 2023, a major campaign targeted the European energy sector, using CoffeeLoader to deploy the Royal ransomware variant, causing operational disruptions in at least two German utility companies. No law enforcement takedowns have been recorded as of late 2023, and the malware continues to evolve with new C2 encryption methods.

🔍 Detection Indicators

Known file hashes include SHA256: 3a7c1b2d4e5f6a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a from a Zscaler report. Behavioral signatures: creation of the mutex "CoffeeLoader_Mutex", registry key "CoffeeUpdate" under Run, and outbound HTTPS connections to domains containing "coffee" or "update-cdn" in the subdomain. Network IOCs include User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) CoffeeLoader/1.0".

☠️ Risk & Impact

Successful deployment of CoffeeLoader leads to full remote access and data exfiltration, often culminating in ransomware encryption of files. Financial losses from associated ransomware payments have been estimated at over $3.5 million collectively across three confirmed incidents in the European manufacturing and energy sectors. The loader is also observed stealing browser credentials and Outlook email data before deploying secondary payloads.

🛡️ Mitigation

To defend against CoffeeLoader, organizations should apply patches for CVE-2022-30190, block outbound connections to known C2 domains listed in Zscaler's threat intelligence feed, and deploy EDR rules to detect process hollowing and scheduled task creation with the "CoffeeUpdate" name. Additionally, restricting macro execution in Office documents is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.