Detection opportunity #4: PowerShell writing startup shortcuts
PowerShell is using
System.Reflection.Assembly to load a .NET executable in memory. Adversaries frequently use this technique to introduce a malicious executable into an environment without it residing on disk. In this case, Yellow Cockatoo saved its .NET executable on disk but in obfuscated form. The only deobfuscated copy of the executable would exist in memory at runtime. Looking for the execution of PowerShell along with a corresponding command line containing
System.Reflection has allowed us to catch many threats leveraging this technique.
That last bit of PowerShell referenced above ultimately loads the DLL containing the in-memory .NET RAT that we’re going to spend the better part of the rest of this blog post discussing. In turn, we’ve observed Yellow Cockatoo delivering other payloads in parallel with the RAT, although we haven’t fully analyzed these executables.
However, a cursory analysis of one of these binaries (the middle bullet) revealed that it reaches out to C2 domains that we have previously associated with malicious behavior, one of which is referenced multiple times in the “Technical analysis” section below. These executables have varied over time, and have included (but probably aren’t limited to) the following:
- June and October 2020:
- September 2020:
- November 2020:
Deep dive on the .NET RAT
This section details our analysis of a version of a RAT that constitutes just one component of the overall cluster of activity we call Yellow Cockatoo.
We analyzed the following Yellow Cockatoo sample:
- SHA256 hash:
- MD5 hash:
The above DLL conceals a .NET RAT that loads in memory. From a high level, it can:
- Connect to, and communicate with, a command and control (C2) domain
- Download a second-stage payload
- Execute the payload in a loop (i.e., repeats steps 1 and 2 in an infinite loop)
On a more granular level, Yellow Cockatoo performs the following C2-related actions:
- It collects a variety of host information (some of it listed below).
- It loads a randomly-generated string to
%USERPROFILE%\AppData\Roaming\solarmarker.dat, which serves as a unique identifier for the host.
- It connects to the C2 server (address:
https://gogohid[.]com/gate?q=ENCODED_HOST_INFO) sharing a variety of host information (see below) and retrieving its first command.
- It retrieves and parses commands in an infinite loop.
- Upon executing a command, its execution status is reported to
https://gogohid[.]com/success?i=ENCODED_CMD_AND_HOST_ID_INFO along with a certain information (see below).
As you can see in points 3 and 5 above, the C2 URLs contain byte-encoded JSON strings (we’ve replaced the actual strings with
During the initial check-in with its C2, Yellow Cockatoo is capable of relaying the following:
hwid: the randomly generated value stored in
pn: computer name
os: Windows OS version
x: host machine architecture (x64 or x86) based on the running process
prm: the permission level of the the running process (admin or user)
ver: malware version. Fixed string:
wg: computer workgroup
The C2 responds to the initial check-in with a unique command identifier (
id). Any time Yellow Cockatoo executes a command, it uses a similarly encoded URL string (see step 5 above) to send the
id back to the C2 server, effectively communicating to the C2 server that the command has executed successfully.
The RAT implements the following commands:
rpe: downloads an executable buffer in memory and injects and loads it into
c:\windows\system32\msinfo32.exe using Process Hollowing (T1055.012) technique
dnr: downloads an executable to
%TEMP%\24_CHAR_RANDOM_STRING.exe and executes it
psp: downloads a PowerShell script to
%TEMP%\24_CHAR_RANDOM_STRING.ps1 and executes it with
powershell.exe -ExecutionPolicy bypass "%TEMP%\24_CHAR_RANDOM_STRING.ps1"
The C2 can also issue an idle command that puts Yellow Cockatoo to sleep pending further commands.
We hope this information and these detection opportunities serve useful to anyone trying to improve detection coverage across this threat. While we’re not altogether sure how widespread Yellow Cockatoo is, it’s ranked among the most common threats we’ve detected for many months now. As always, if you have any feedback or questions, don’t hesitate to send us an email.
Similarities and differences with Jupyter Infostealer
While this list may not be representative of all of the ways that our research overlaps, we have identified the following similarities between what we define as Yellow Cockatoo and what Morphisec defines as Jupyter Infostealer:
- .exe naming pattern
- Domain gogohid[.]com
- IP address subnet of 45.146.165[.]X
Here are the aspects of Yellow Cockatoo that we believe may be distinct from Morphisec’s analysis of Jupyter:
- The initial delivery of Yellow Cockatoo malware through search engine redirects
- Additional IP address used for C2,
45.146.165[.]221, albeit from the same subnet as observed by Morphisec (
- We analyzed what Morphisec calls the “C2 Jupyter client” while the “infostealer” payload they analyzed is a browser cookie stealer that we did not examine. To that point, we base this on differences in the version in the .NET assembly. Our technical analysis above focuses on the variant described in the Morphisec report as
- Our analysis focuses primarily on endpoint telemetry, including how the PowerShell loader that launched the infostealer. The telemetry we focused on has a slightly different call run method:
- One variant analyzed by Morphisec used the call run method
- The variant we focused our analysis on used the call run method