Yellow Cockatoo
Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules.
Editor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been updated since 2024.Â
Yellow Cockatoo is an activity cluster involving search engine poisoning to trick users into installing a .NET RAT with infostealer capabilities. First reported by Red Canary in 2020, Yellow Cockatoo has also garnered attention from other researchers, who track it under other names such as Jupyter, Solarmarker, and Polazert. Despite dropping back considerably in 2022—affecting less than 2 percent of Red Canary customers—Yellow Cockatoo returned in 2023, cracking the monthly top 10 six times and peaking at #1 in July and November. Known for shutting down and retooling after periods of high activity, Yellow Cockatoo was notably absent from our view from February 2023 through early May 2023.
While much of the public reporting continues to cover the later-stage components of Yellow Cockatoo, we often observe behavior that occurs earlier in the Yellow Cockatoo intrusion chain. This typically includes an installation mechanism that delivers code that runs persistently. This code later downloads and executes additional modules that are never written to disk, such as an infostealer and VNC module. In many of the instances of Yellow Cockatoo activity we observed, the initial payloads were remediated before any follow-on modules could be downloaded and run. However, when the payloads were allowed more time to execute, we observed them spawning and injecting into Windows Search Indexer processes (presumably to leverage additional modules).
Search engine hijinks
Yellow Cockatoo tradecraft is wide-ranging, and there are several variations to its intrusion chain. Search engine redirects enable Yellow Cockatoo operators to compromise users at scale. Initial access by Yellow Cockatoo often occurs via a search engine redirect that directs a user from a legitimate search engine to a site that downloads a malicious file bearing the victim’s search query as its name (for example: this-is-my-search-query.exe). Because potential victims are directed to a site based on a search they initiated, they may be more inclined to engage with its content. Though many adversaries craft tailored attacks and leverage familiar themes, Yellow Cockatoo is unique in its ability to dynamically “customize” its attacks based on victims’ real-time searches.
The query-based binary acts as an installer for Yellow Cockatoo’s malicious payload—typically a .NET-based DLL that is stored in an encrypted state either in a file on disk or in the Windows Registry. In order to execute this payload, Yellow Cockatoo leverages obfuscated PowerShell commands to read in the encrypted payload, decrypt it, and reflectively load it into memory. In late 2022 Yellow Cockatoo shifted from using simple XOR-based encryption to leveraging AES encryption within PowerShell commands. This method remained consistent throughout 2023.
Yellow Cockatoo’s initial access can be difficult to prevent. To harden your attack surface against the search engine redirects commonly used by Yellow Cockatoo, we recommend taking steps to prevent access to malicious domains and other malicious content on the internet. This could involve configuring your web proxy to block newly registered and low-reputation domains (e.g., .tk, .top, and *.gg) as well as blocking advertisements.
PowerShell startup folder persistence
One TTP that’s remained consistent with Yellow Cockatoo over the years is the use of the Windows Startup folder for persistence. Not unique to Yellow Cockatoo, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL:
process == powershell.exe
&&
filemod_path_includes ('start menu\programs\startup')
&&
filemod_extension == '.lnk'PowerShell suspicious .NET methods
Throughout the year, we’ve tracked Yellow Cockatoo’s tradecraft changes and updated our detection analytics. One of the new analytics we created involves the loading of suspicious .NET methods, primarily seen in PowerShell script load content. This behavior is not limited to Yellow Cockatoo and can be applied universally for malicious PowerShell obfuscation attempts.
process_name == powershell.exe
&&
scriptload_content_contains ('aescryptoserviceprovider' || 'frombase64string' || 'user32.dll')Start testing your defenses against Yellow Cockatoo using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
You can test the efficacy of the PowerShell startup folder persistence detection opportunity described above by running this atomic test # 7 for T1547.001: Registry Run Keys / Startup Folder. The PowerShell and Obfuscated Files or Information sections of this report include detailed guidance on testing and detecting obfuscated PowerShell commands.
Run this test on a Windows system using an elevated PowerShell prompt:
$Target = "C:\Windows\System32\calc.exe"
$ShortcutLocation = "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Create = $WScriptShell.CreateShortcut($ShortcutLocation)
$Create.TargetPath = $Target
$Create.Save()Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.
Security gaps? We got you.
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.