A sophisticated malware loader known as ArmouryLoader has emerged as a significant cybersecurity threat, demonstrating advanced techniques to bypass endpoint detection and response (EDR) systems while delivering malicious payloads.
First discovered in 2024, this loader exploits legitimate ASUS Armoury Crate system management software to establish a foothold in targeted systems, making detection exceptionally challenging for security teams.
Multi-Stage Execution with GPU-Based Decryption
ArmouryLoader operates through an intricate eight-stage execution process, with each phase designed to evade detection while progressively establishing deeper system access.
The loader’s most distinctive feature involves using OpenCL (Open Computing Language) to decrypt payloads, requiring either a GPU or a 32-bit CPU for proper execution.
This requirement effectively circumvents sandbox and virtual machine environments that lack these hardware components, as many automated analysis systems operate in resource-constrained environments.
During the third stage, ArmouryLoader searches for available Nvidia, AMD, or Intel OpenCL devices to perform XOR decryption operations.
The malware generates decryption keys by performing an XOR operation on two strings, then passes both the key and the encrypted payload to the OpenCL device for processing.
This GPU-based decryption mechanism represents a novel approach to evading traditional static analysis tools that cannot replicate the required hardware environment.
Advanced EDR Evasion and System Manipulation
The loader employs sophisticated anti-EDR techniques that manipulate legitimate system components to mask malicious activity.
ArmouryLoader utilizes code segments from legitimate DLLs to read sensitive memory locations and execute system functions, effectively making malicious calls appear to originate from trusted system components.
The malware constructs forged call stacks during sensitive function calls, particularly in stages three and eight, to deceive EDR systems about the trustworthy source of system calls.
For privilege escalation, ArmouryLoader leverages the CMSTPLUA COM component while disguising itself as explorer.exe to obtain Administrator privileges.
The malware also implements the Halo’s Gate technique to obtain system call numbers directly, enabling it to bypass syscall hooks commonly used by security products.
This direct system call capability allows ArmouryLoader to execute functions without triggering traditional API monitoring mechanisms.
Persistence and Payload Delivery
ArmouryLoader establishes persistence through scheduled tasks, adapting its approach based on available system privileges.
When administrator privileges are available, the loader configures tasks to execute with the highest privileges upon user login; otherwise, it runs every 30 minutes with normal privileges.
The malware strengthens its persistence by modifying file attributes to system, hidden, and read-only status, while also altering Access Control Lists (ACLs) to prevent user modification or deletion.
The final stage transitions from 32-bit to 64-bit execution by creating a 64-bit DLLhost.exe process and injecting shellcode using the Heaven’s Gate technique.
This architectural transition enables ArmouryLoader to deliver various payloads, including SmokeLoader and CoffeeLoader families, while maintaining stealth throughout the infection chain.
