⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
November’s top 10 includes both previously seen threats and previously seen patterns. Qbot saw a steep decline in activity, falling from a two-month stay in the top spot to tie for 10th place with SocGholish. Emotet returned with a burst of intense activity during the first 10 days of November, enough for it to land at number 5 for the month. Remote Utilities cracks the top 10 for the first time since March 2022. It typically lurks just outside the top 10, and its appearance here has more to do with a slight decrease in other threat volume than a sudden increase in Remote Utilities activity.
Yellow Cockatoo returns from hiatus
After a stretch of inactivity beginning in July 2022, we saw Yellow Cockatoo reappear in early November 2022. Yellow Cockatoo—also tracked under the names Jupyter and Solarmarker—has historically paused activity after the release of public information, only to resume activity months later using an updated version of their malware. We assess that the adversary may be experimenting with different distribution methods based on recently observed initial access techniques.
One new Yellow Cockatoo malware variant disguised the malicious download as a legitimate browser update, similar to SocGholish’s distribution techniques. A researcher known as Squiblydoo observed this activity in October 2022. Additionally, researchers have seen a new variant of the malware being distributed using Yellow Cockatoo’s traditional search engine redirect methodology. This technique redirects a user from a legitimate search engine to a site that downloads a malicious binary masquerading as their search term. For example, if you searched for “this is my query,” the malicious binary would be named
While the most recent malware version is slightly different from earlier versions, the execution tactics, techniques, and procedures (TTP) are similar. This means that execution-based analytics that have detected Yellow Cockatoo in the past may still catch it now.
Detection opportunity: PowerShell creating
LNK files within a startup directory
The following pseudo-detection analytic identifies PowerShell creating LNK files in a startup directory. Malware like Yellow Cockatoo can be introduced as a fake installer binary, resulting in malicious PowerShell script execution. Some benign homegrown utilities or installers may create
.lnk files in startup locations, so additional investigation of the activity may be necessary.
process == (
filetype == (
filepath_includes == (
command_line_does_not_include == (*)
* is a placeholder for approved utilities or installers in your environment that also create
.lnk files in startup locations
Gootloader malware changes TTPs for evasion
In November 2022, Red Canary observed changes in the TTPs associated with the execution of Gootloader malware. Gootloader is a malicious downloader that is often followed by hands-on-keyboard activity in enterprise environments. The new tradecraft, observed during the first two weeks of November, included changes to persistence mechanisms and changes in the way Gootloader uses PowerShell to execute commands. We’ve updated our Gootloader blog to reflect the new TTPs, which we have also briefly summarized below.
In the newest iteration, the first stage unpacks a second stage to disk without making network connections to remote hosts as it did previously. It writes the second-stage JScript under a legitimate folder in
APPDATA\Roaming. The first stage also creates a scheduled task for persistence using COM or similar functionality; previous versions used PowerShell commands to create the task. The first stage ends by appending around 40MB of extraneous text to the script to hinder malware analysis.
The second stage executes with
cscript.exe, spawning PowerShell while passing a script in for execution. PowerShell conducts host discovery, gathering details to report for command and control (C2) purposes. PowerShell then downloads and executes additional payloads. At this point, Gootloader resumes its traditional execution flow, deobfuscating follow-on payloads from the Windows Registry and loading them using
System.Reflection classes in PowerShell.
These new TTPs can make it more challenging for defenders to quickly detect Gootloader, potentially allowing the adversary to remain undetected for longer periods of time. However, there are still detection opportunities available.
cscript which executes PowerShell
The following pseudo-detection analytic identifies
cscript which executes PowerShell. The malicious parent
wscript process will typically be spawned from a scheduled task. This sequence has been observed when malware, including Gootloader, uses
wscript to execute files such as malicious
.js files. Legitimate applications can use this chain of processes as well, so additional investigation may be needed.
parent_process == (
process == (
child_process == (