ArmouryLoader Bypasses Security Protections to Inject Malicious Code
ArmouryLoader and other malicious code loaders have become essential tools for introducing Trojan-type payloads into hacked systems in the ever-changing world of cyberattacks.
First identified in 2024, ArmouryLoader exploits the ASUS Armoury Crate software by hijacking its export functions, such as freeBuffer in ArmouryA.dll, to initiate multi-stage execution chains.
This loader facilitates privilege escalation, persistence, and payload delivery while incorporating anti-EDR capabilities, enabling subsequent malware like SmokeLoader and CoffeeLoader to evade system defenses.
By leveraging OpenCL for decryption, ArmouryLoader mandates GPU or 32-bit CPU environments, effectively bypassing sandboxes and virtual machines.
It further employs gadget-based memory reads from legitimate DLLs and forged call stacks to conceal system call origins, enhancing its stealth and increasing payload delivery success rates.
According to Antiy CERT’s special report, these techniques underscore the loader’s role in sophisticated attack chains, posing significant risks to endpoint security.
Emerging Threat in Malware Delivery Chains
ArmouryLoader’s obfuscation arsenal includes inserting useless instructions, self-decrypting code segments, and OpenCL-based decryption across its eight-stage process.
In stages one and three, redundant opcodes clutter the code to thwart static analysis, while stages two, four, and six feature layered XOR self-decryption loops.
The third stage uniquely invokes OpenCL to decrypt shellcode via NVIDIA, AMD, or Intel devices, generating keys through string XOR operations.
Privilege escalation in stage five mimics explorer.exe and exploits the CMSTPLUA COM component for Administrator rights, with newer variants using CMLuaUtil.
Persistence is achieved via scheduled tasks created through schtasks or COM interfaces, running every 30 or 10 minutes depending on privileges, with files fortified by hidden, read-only attributes and ACL modifications denying user access.

Countermeasures include Halo’s Gate for syscall number extraction, evading hooks, and ROP chains to forge stack traces against backtracking.
In stage seven, Heaven’s Gate enables 64-bit code execution in dllhost.exe, transitioning from 32-bit environments, while stage eight allocates memory via syscalls like NtAllocateVirtualMemory, using gadgets like mov rax,[rax];ret; for indirect reads and jmp [rbx] for control flow redirection.
The attack process unfolds progressively: Stage one hijacks exports to run shellcode; even stages decrypt and load PE files; odd stages handle behaviors like OpenCL decryption, escalation, and injection.
Sample analysis of a 1.41 MB x86 ArmouryA.dll (MD5: 5A31B05D53C39D4A19C4B2B66139972F) reveals heavy obfuscation, invalid ASUS signatures, and dynamic API resolution via PEB.
ATT&CK mappings highlight persistence via scheduled tasks (T1053), privilege escalation through COM abuse (T1546), defense evasion with deobfuscation and syscall indirection (T1140, T1620), and obfuscated files (T1027).
Antiy’s Zhijia products detect these via real-time monitoring and kernel-level defenses, alerting on file additions and enabling centralized threat management.
Indicators of Compromise
IOC Type | Value |
---|---|
MD5 Hash | 5A31B05D53C39D4A19C4B2B66139972F |
MD5 Hash | 90065F3DE8466055B59F5356789001BA |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link