The Rise, Evolution, and Tactics of Yellow Cockatoo: A Deep Dive
In the ever-evolving landscape of cyber threats, Yellow Cockatoo has emerged as a significant player. First identified by Red Canary in 2020, this activity cluster has been on the radar of several cybersecurity researchers. Some even refer to it by other monikers, such as Jupyter and Solarmarker.
A Brief History
Yellow Cockatoo made a grand entrance in 2020, affecting approximately 5% of environments monitored by Red Canary. It even secured the 7th position in the 2021 prevalence rankings. However, its activity saw a decline in 2022, impacting less than 2% of Red Canary’s clientele. Interestingly, this decline occurred even though the cluster was active for just around 8 months that year. It made its presence felt in the monthly top 10 thrice, with a peak at the #2 spot in March. The group is known for its pattern of going dormant after high activity periods, as observed from November 2021 to late February 2022 and again from late July to early November 2022.
The Intrusion Chain
While many reports, including an in-depth analysis by Morphisec, focus on Yellow Cockatoo’s infostealer component, I’ve noticed behaviors that precede this in the intrusion chain. This often starts with an installation mechanism that ensures the code runs persistently. This persistent code, in turn, fetches and runs additional modules without writing them to the disk. In several instances, the payloads were a stripped-down version of the original components highlighted by Morphisec.
Search Engine Manipulation
One of the standout features of Yellow Cockatoo’s modus operandi is its use of search engine redirects. This tactic allows the operators to compromise users on a large scale. Victims are often redirected from legitimate search engines to malicious sites that download files named after the victim’s search query. This dynamic “customization” based on real-time searches sets Yellow Cockatoo apart from other adversaries.
The malicious file typically acts as an installer for a .NET-based DLL, stored encrypted either on the disk or in the Windows Registry. To run this payload, obfuscated PowerShell commands are employed. While earlier versions used simple XOR functions and Base64 encoding, recent iterations from November 2022 have incorporated AES encryption.
Protective Measures
Guarding against Yellow Cockatoo’s initial access is challenging. I advise strengthening defenses against search engine redirects by blocking access to malicious domains and other harmful online content. This can be achieved by configuring web proxies to block newly registered and low-reputation domains, as well as advertisements.
Detection Opportunities
Yellow Cockatoo consistently uses the Windows Startup folder for persistence. This tactic, though not exclusive to them, can be a detection point for multiple threats. Additionally, monitoring for suspicious .NET methods, especially in PowerShell script load content, can provide early warning signs.
In conclusion, staying vigilant and updated about the tactics and techniques of adversaries like Yellow Cockatoo is crucial in today’s digital age. As they evolve, so must our defenses
Here are the detection scripts for Yellow Cockatoo’s malicious activities:
PowerShell Startup Folder Persistence Detection:
process == powershell.exe
&&
command_includes ('appdata')
&&
filemod_path_includes ('start menu\programs\startup')
&&
filemod_extension == '.lnk'
PowerShell Suspicious .NET Methods Detection:
process_name == powershell.exe
&&
scriptload_content_contains ('aescryptoserviceprovider' || 'frombase64string' || 'user32.dll')
Thank you for taking the time to dive into the world of Yellow Cockatoo with us. We hope this deep exploration has shed light on the intriguing evolution, tactics, and impact of this cyber threat. Your dedication to staying informed in the ever-changing landscape of cybersecurity is commendable.
If you found this blog insightful and informative, we kindly ask you to share it with your friends and colleagues who might also benefit from understanding the tactics used by Yellow Cockatoo. Together, we can create a safer digital environment by spreading awareness about evolving threats.
Feel free to share this article through social media, emails, or any other platform you prefer. Your support in raising awareness is invaluable.
Thank you once again for being a part of our mission to stay vigilant and informed in the digital age.