Players beware! This new malware hides in your GPU

There’s a brand new household of malware that’s impersonating Asus’s Armoury Crate software program and infecting PCs with malicious code.

The malware referred to as CoffeeLoader could sound like a futuristic kitchen equipment that robotically pours you some morning brew, however its intent is rather more nefarious. As soon as it has contaminated your PC, it connects to a server to obtain further malware within the type of an infostealer, then steals your data and credentials.

Armoury Crate is Asus’s proprietary gaming app for the corporate’s lineup of gaming PCs. It permits customers to regulate important facets of their gaming efficiency, together with their PC’s working mode, the speeds of followers, and extra. Players utilizing Asus’s desktop PCs and gaming laptops are liable to an infection, since these are issues most avid gamers will wish to do.

The factor that makes CoffeeLoader so gnarly is how well-coded it’s to contaminate gamer PCs. Not solely does it mimic Asus’s software program, however it additionally makes use of a packer referred to as “Armoury” that hundreds a part of its code onto the sufferer’s GPU (or graphics card). Since all customers with Asus gaming PCs have GPUs, they’re weak to this method. And the truth that it targets a person’s GPU somewhat than their CPU can also be a sneaky method for the malware to evade detection, since most virus scanners don’t usually scan the GPU.

The CoffeeLoader malware additionally makes use of different methods to keep away from being found by antivirus software program. One known as Sleep Obfuscation, whereby it locks itself up in system reminiscence inside an inactive, encrypted file that may’t be learn. The malware additionally makes use of uncommon pathways to stay unnoticed, reminiscent of Home windows fibers (that are utilized by a person’s PC after they’re multitasking).

Moreover, CoffeeLoader can perform Name Stack Spoofing to eradicate traces of itself. Usually, when applications run, they go away traces of code behind like footprints within the snow. However CoffeeLoader is ready to change the code it leaves behind simply sufficient to seem like a benign program, thus fooling antivirus applications in search of traces of malicious code.

Zscaler, the cybersecurity agency that found the malware, dates CoffeeLoader again to September 2024. With it having technical similarities to a different malware referred to as SmokeLoader, they surmise that this might level to CoffeeLoader being a brand new variant of that malware. Nevertheless it’s too early to say for certain.

Proper now, the easiest way to keep away from an infection with CoffeeLoader is to make sure you obtain Asus’s Armoury Crate software program instantly from the corporate’s web site somewhat than any third-party web site.