NET assembly designed to be loaded in memory.īelow are the redacted contents of the PowerShell script for your convenience: All of this is effectively precursor activity that leads to the execution of a malicious dynamic link library (DLL) that is a remote access trojan (RAT) implemented as a. Executionįollowing installation, the executable spawns a command line and creates a similarly named. For example, if the victim searched for “search-query” then the executable would be named search-query.exe. Its name is dependent on the victim’s search query. The executable feigns legitimacy by using the Microsoft Word icon. Yellow Cockatoo appears to gain initial access by redirecting search engine queries to a website that attempts to upload a malicious executable onto victim machines. Whether you think you’re dealing with a Yellow Cockatoo infection or not, the following detection ideas should provide decent coverage against a variety of additional threats as well. What follows is a rough chronology of what is likely to occur during an infection, organized by ATT&CK tactics and detection opportunities, as well as descriptions of the behavioral analytics that help us uncover Yellow Cockatoo activity. Security teams have a number of distinct detection opportunities to catch Yellow Cockatoo. While we haven’t developed any bespoke detection analytics that are designed to specifically detect Yellow Cockatoo, we have a handful of detectors that have done a good job of alerting our detection engineering team of potentially related behaviors, including those that turned us onto Yellow Cockatoo in the first place. We’ve included a detailed overview of how our research overlaps with-and deviates from-Morphisec’s research at the end of this article. Additionally, as we see more Yellow Cockatoo activity, we may choose to define this cluster differently, and we don’t want to inherit other teams’ analyses by adopting their names. ![]() Morphisec has done excellent analysis of Jupyter Infostealer, but because we define Yellow Cockatoo based on our visibility, we want to make it clear that we track this activity slightly differently than Morphisec does. We dubbed the threat we’ve been tracking “Yellow Cockatoo” several months ago. You may be wondering why we gave this activity a different name ![]() Special thanks to Michael Gorelik and Arnold Osipov of Morphisec for taking the time compare notes on our respective research. Jupyter Infostealer overlaps significantly with the threat we call Yellow Cockatoo, and we’ll explain just exactly how later in this post. Other than a tweet from June referencing a related PowerShell script, Yellow Cockatoo mostly evaded public notice until November 2020, when researchers from Morphisec published a detailed overview of a threat they call Jupyter Infostealer. ![]() Yellow Cockatoo has targeted a range of victims across multiple industries and company sizes, and we continue to see it, as recently as this week. We’ve been tracking this threat since June 2020. NET remote access trojan (RAT) that runs in memory and drops other payloads. Yellow Cockatoo is our name for a cluster of activity involving the execution of a.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |