Yellow Cockatoo

Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules.

Pairs with this song






As Yellow Cockatoo uses effective search engine poisoning tactics, can stealthily persist in a compromised environment, and appears to affect a wide array of organizations across various sectors and geographies, we weren’t surprised to see it crack our top 10 threats in 2021. In September the volume of Yellow Cockatoo detections increased substantially (relative to earlier in the year). This may have been the result of a new installation mechanism, chronicled in detail by researchers from Morphisec (they call this threat “Jupyter”).

While much of the public reporting, notably a robust profile published by Morphisec, covers an infostealer component of Yellow Cockatoo, we often observe behaviors that occur earlier in the Yellow Cockatoo kill chains. This typically includes installation mechanisms, which deliver code that runs persistently. This code later downloads and executes additional modules that are never written to disk. In many of the instances of Yellow Cockatoo activity we observed, the payloads were a minimal version of the original components documented by Morphisec, with the infostealer functionality delegated to additional modules.

Yellow Cockatoo tradecraft is wide-ranging, and there are several variations on its attack chain. Over time, the most significant detection opportunities stem from the behaviors we observe consistently. These include but are not limited to the tradecraft outlined below.

Initial access: Search engine redirects enable Yellow Cockatoo operators to perform seemingly targeted social engineering attacks at scale. Initial access by Yellow Cockatoo often occurs via a search engine redirect that directs a user from a legitimate search engine to a site that downloads a malicious file bearing the victim’s search query as its name (for example: “this-is-my-search-query.msi” or “this-is-my-search-query.exe”). Because potential victims are directed to a site based on a search they initiated, they may be more inclined to engage with its content. Though many adversaries craft tailored attacks and leverage familiar themes, Yellow Cockatoo is unique in its ability to dynamically “customize” its attacks based on victims’ real-time searches.

Execution: Following installation, the EXE or MSI file spawns a command line and creates a similarly named TMP file that launches PowerShell. All of this is precursor activity that leads to the execution of a malicious dynamic link library (DLL). This is a remote access trojan (RAT) implemented as a .NET assembly designed to be reflectively loaded into PowerShell.

Defense evasion: Since Yellow Cockatoo’s follow-on activity occurs in memory, it poses a unique challenge to defenders. Yellow Cockatoo uses XOR and Base64 encoding to ensure its files are obfuscated and do not exist in cleartext on disk. Cleartext is only present in memory and only exists after it is invoked by its loader. Accordingly, static detection rules for files on disk may miss malware components.

To harden your attack surface against the search engine redirects commonly used by Yellow Cockatoo, we recommend taking steps to prevent access to malicious domains and other malicious content on the internet. This could involve configuring your web proxy to block newly registered and low-reputation domains (e.g.,*.tk, *.top, and *.gg) and block advertisements.

Detection opportunities

PowerShell writing startup shortcuts

We frequently observe adversaries using PowerShell to write malicious LNK files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL:

process == powershell.exe
command_line_includes ('appdata')
filemod_path_includes ('start menu\programs\startup')
filemod_extension == '.lnk'

*Note: You can test the efficacy of this detection opportunity by running this Atomic Red Team test in PowerShell with elevated privileges.

PowerShell utilizing System.Reflection.Assembly to load a DLL

This detection analytic identifies PowerShell using System.Reflection.Assembly to load a DLL. However, this analytic may generate false positives in your environment and likely requires tuning.

process == powershell.exe
command_line_includes ('reflection.assembly')
command_line_regex_encoded == '/(?i)::\(?load\)?(?:|file)\(/'