Security analysts have uncovered a new and highly sophisticated malware loader, dubbed ArmouryLoader, which demonstrates advanced evasion, persistence, and privilege escalation techniques.
First detected in 2024, ArmouryLoader has been observed delivering notorious payloads such as SmokeLoader and CoffeeLoader by hijacking the export functions of the ASUS Armoury Crate system management utility.
This loader’s deep integration with legitimate system software provides an added layer of camouflage, making detection by conventional endpoint defense tools significantly more challenging.
Complex Multi-Stage Obfuscation
ArmouryLoader’s infection methodology is multi-phased and obfuscated by design, employing a series of complex steps to evade both static and dynamic analysis.
The loader utilizes three main obfuscation strategies: the deliberate insertion of non-functional instructions, various layers of self-decryption code, and advanced decryption routines using OpenCL requiring GPU or 32-bit CPU execution environments.
The use of OpenCL for decryption is particularly striking, as it thwarts many sandboxes and virtual machines found in malware analysis environments.
The infection chain initiates with the compromise of the freeBuffer export function in the legitimate ArmouryA.dll part of ASUS Armoury Crate where it deploys initial shellcode loaded with decoy instructions.
Subsequent stages incorporate increasing layers of encrypted payloads and self-modifying code, using custom threads to process and execute each payload, with the third stage notably leveraging GPU-based decryption via OpenCL.
Advanced Privilege Escalation
After achieving code execution, ArmouryLoader sets up robust persistence mechanisms. The malware abuses Windows scheduled tasks, utilizing either the schtasks command or corresponding COM components, contingent upon privilege levels.
On systems where administrator rights are available, tasks are set to execute at login with elevated privileges; otherwise, execution occurs at regular intervals.
File attributes including hidden, system, and read-only flags and access control lists (ACLs) are manipulated to inhibit removal and modification by users.
Privilege escalation is attained through exploitation of the CMSTPLUA COM component. ArmouryLoader masquerades as explorer.exe and triggers privilege elevation routines, granting itself administrative rights.
In newer versions, process information is manipulated within the Process Environment Block (PEB) and loader data structures before escalation is attempted via the CMLuaUtil COM class. A hallmark of ArmouryLoader is its use of counter-detection and sophisticated injection tactics.
By reading sensitive memory through legitimate DLL gadgets and forging call stacks orchestrated using return-oriented programming (ROP) chains it obscures its activity from EDR (Endpoint Detection and Response) solutions.
Additionally, techniques like Halo’s Gate and Heaven’s Gate are employed to evade API hooks by dynamically resolving system call numbers and directly invoking system calls, frequently switching between 32-bit and 64-bit code execution contexts.
In its final stages, ArmouryLoader injects its ultimate payload often CoffeeLoader into a 64-bit dllhost.exe process, camouflaging its presence within a legitimate process.
This is achieved by disabling file system redirection, leveraging 64-bit injection through the Heaven’s Gate technique, and forging return addresses and stack frames to mislead heuristic analysis.
Industry response, such as Antiy Zhijia’s endpoint security platform, indicates some measure of efficacy against ArmouryLoader by employing kernel-level monitors and threat intelligence correlation.
Nevertheless, ArmouryLoader’s technical sophistication and rapid evolution underscore the need for continuous monitoring and advanced defensive architectures to counter evolving loader threats.
Indicators of Compromise (IoCs)
| Hash (MD5) |
|---|
| 5A31B05D53C39D4A19C4B2B66139972F |
| 90065F3DE8466055B59F5356789001BA |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
