Threat
Yellow Cockatoo
Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules.
Pairs with this song Threat Sounds
Love’s a risk, and so are search engine redirects. We recommend blocking newly registered and low-reputation domains to avoid the .NET remote access trojan (RAT) associated with Yellow Cockatoo.
Analysis
Yellow Cockatoo is an activity cluster involving search engine poisoning to trick users into installing a .NET RAT with infostealer capabilities. First reported by Red Canary in 2020, Yellow Cockatoo has also garnered attention from other researchers, who track it under other names such as Jupyter and Solarmarker. After bursting onto the scene in 2020 and appearing in about 5 percent of Red Canary-monitored environments to claim the #7 spot in our 2021 prevalence rankings, Yellow Cockatoo dropped back considerably in 2022, affecting less than 2 percent of Red Canary customers. Despite this drop, Yellow Cockatoo achieved that prevalence while only being active for about 8 months of the year, cracking the monthly top 10 three times and peaking at #2 in March. Known for shutting down and retooling after periods of high activity, Yellow Cockatoo was notably absent from our view from Nov 2021 through late February 2022 and again from late July until early November 2022.
While much of the public reporting, notably a robust profile published by Morphisec, covers an infostealer component of Yellow Cockatoo, we often observe behavior that occurs earlier in the Yellow Cockatoo intrusion chain. This typically includes an installation mechanism, which delivers code that runs persistently. This code later downloads and executes additional modules that are never written to disk. In many of the instances of Yellow Cockatoo activity we observed, the payloads were a minimal version of the original components documented by Morphisec, with the infostealer functionality delegated to additional modules.
Search engine hijinks
Yellow Cockatoo tradecraft is wide-ranging, and there are several variations to its intrusion chain. Search engine redirects enable Yellow Cockatoo operators to compromise users at scale. Initial access by Yellow Cockatoo often occurs via a search engine redirect that directs a user from a legitimate search engine to a site that downloads a malicious file bearing the victim’s search query as its name (for example: this-is-my-search-query.exe). Because potential victims are directed to a site based on a search they initiated, they may be more inclined to engage with its content. Though many adversaries craft tailored attacks and leverage familiar themes, Yellow Cockatoo is unique in its ability to dynamically “customize” its attacks based on victims’ real-time searches.
The query-based binary acts as an installer for Yellow Cockatoo’s malicious payload—typically a .NET-based DLL that is stored in an encrypted state either in a file on disk or in the Windows Registry. In order to execute this payload, Yellow Cockatoo leverages obfuscated PowerShell commands to read in the encrypted payload, decrypt it, and reflectively load it into memory. Prior to late 2022, this encryption consisted of a simple XOR function and Base64 encoding, however as of November 2022, Yellow Cockatoo appears to be leveraging AES encryption within PowerShell commands.
take action
Yellow Cockatoo’s initial access can be difficult to prevent. To harden your attack surface against the search engine redirects commonly used by Yellow Cockatoo, we recommend taking steps to prevent access to malicious domains and other malicious content on the internet. This could involve configuring your web proxy to block newly registered and low-reputation domains (e.g., .tk, .top, and *.gg) as well as blocking advertisements.
Detection opportunities
PowerShell startup folder persistence
One TTP that’s remained consistent with Yellow Cockatoo over the years is the use of the Windows Startup folder for persistence. Not unique to Yellow Cockatoo, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL:
process == powershell.exe
&&
command_includes ('appdata')
&&
filemod_path_includes ('start menu\programs\startup')
&&
filemod_extension == '.lnk'PowerShell suspicious .NET methods
Throughout the year, we’ve tracked Yellow Cockatoo’s tradecraft changes and updated our detection analytics. One of the new analytics we created involves the loading of suspicious .NET methods, primarily seen in PowerShell script load content. This behavior is not limited to Yellow Cockatoo and can be applied universally for malicious PowerShell obfuscation attempts.
process_name == powershell.exe
&&
scriptload_content_contains ('aescryptoserviceprovider' || 'frombase64string' || 'user32.dll')
Testing
You can test the efficacy of the PowerShell startup folder persistence detection opportunity by running this Atomic Red Team test. The PowerShell and Obfuscated Files or Information sections of this report include detailed guidance on testing and detecting obfuscated PowerShell commands.