ArmouryLoader burst onto the menace panorama in late 2024 after hijacking the export desk of ASUS’s Armoury Crate utility, turning a trusted gaming companion into an preliminary entry level for stylish malware campaigns.
Since then, safety groups have watched a gentle uptick in incidents the place the loader quietly slips previous endpoint telemetry, decrypts its payload in GPU reminiscence, and launches something from CoffeeLoader to SmokeLoader with out dropping a file on disk.
Lengthy press the QR code to view the detailed data of HijackLoader loader (Supply – 4hou)
The loader’s capability to pick OpenCL-capable gadgets, mix privilege escalation with superior obfuscation, and forge name stacks has made it a favorite amongst financially motivated menace actors concentrating on each shopper and enterprise environments.
Attackers usually ship the tampered ArmouryA.dll through spear-phishing archives or compromised software program repositories.
As soon as the malicious DLL is side-loaded, execution enters Stage 1—an ocean of reversible arithmetic operations designed to pad disassembly listings whereas leaving registers unchanged.
Ineffective directions added by ArmouryLoader (Supply – 4hou)
In seconds, Stage 2 spawns a brand new thread, decrypts the subsequent PE stub and fingers execution to Stage 3, the place an OpenCL kernel performs XOR on ciphertext blocks solely on the GPU, stopping sandbox hooks that monitor CPU-bound API calls.
Armoury self-decryption code (Supply – 4hou)
4hou analysts famous the loader’s GPU dependence forces many automated sandboxes into lifeless paths as a result of they current virtualized, non-accelerated graphics adapters.
The loader’s impression is in depth: tele-working endpoints obtain second-stage Trojans, SOCs wrestle with opaque name traces, and incident responders confront persistent duties that re-install freeBuffer hijacks after each reboot.
Digital signatures embedded within the rogue DLL carry the official “ASUSTeK COMPUTER INC.” writer subject, additional aiding social-engineering campaigns geared toward non-technical customers who belief seen certificates.
Persistence Ways: Scheduled Duties That Refuse to Die/
Whereas obfuscation and GPU-side decryption earn most headlines, ArmouryLoader’s persistence layer is the quiet pressure that ensures long-term entry.
Stage 5 begins by querying TokenElevationType and CheckTokenMembership to resolve whether or not the present context enjoys administrative powers.
If true, the loader copies itself to %PROGRAMDATApercentArmouryAIOSDK.dll, units System, Hidden and Learn-Solely attributes, and amends the file’s ACL in order that even native directors obtain a “Deny Delete” entry.
The next code fragment—excerpted from the fifth-stage PE—reveals how these rights are enforced:-
pList.grfAccessPermissions =
DELETE | FILE_WRITE_DATA | FILE_APPEND_DATA |
FILE_WRITE_EA | FILE_WRITE_ATTRIBUTES;
pList.grfAccessMode = DENY_ACCESS;
SetEntriesInAclW(1, &pList, NULL, &newAcl);
SetNamedSecurityInfoW(L”%ProgramData%ArmouryAIOSDK.dll”,
SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
NULL, NULL, newAcl, NULL);
If excessive integrity is unavailable, Stage 5 downgrades gracefully, dropping the DLL into %LOCALAPPDATA% but making use of equivalent attribute-hardening. No matter path, it invokes schtasks.exe (or, in newer builds, the Job Scheduler COM API) to craft an “AsusUpdateServiceUA” job.
Underneath elevated contexts the duty runs on logon with the /RL HIGHEST flag; else it repeats each half-hour beneath the present consumer.
Determine 2-5 within the authentic report (“AsusUpdateServiceUA Properties.png”) depicts the job configured to set off at every sign-in, cementing the foothold.
Subsequent variants bypass schtasks.exe solely, calling ITaskDefinition::RegisterTaskDefinition in order that EDR guidelines watching command-line artefacts see nothing anomalous.
A ultimate flourish ensures stealth: ArmouryLoader rewrites the PEB’s ImagePathName and the corresponding LDR_DATA_TABLE_ENTRY strings to “explorer.exe” earlier than utilizing CMLuaUtil to relaunch itself with full administrative rights.
Any safety product performing superficial course of identify checks due to this fact assumes the privilege escalation originated from the Home windows shell.
By chaining tampered digital signatures, encrypted GPU workloads and ACL-hardened scheduled duties, ArmouryLoader gives a sturdy, low-noise supply channel that may doubtless stay engaging to attackers till defenders harden GPU telemetry and prohibit task-registration APIs system-wide.
Combine ANY.RUN TI Lookup together with your SIEM or SOAR To Analyses Superior Threats -> Strive 50 Free Trial Searches
