KoiLoader Leverages PowerShell to Deliver Malicious Payloads

The eSentire Threat Response Unit (TRU) uncovered a new variant of the KoiLoader malware loader, which employs PowerShell to execute malicious payloads.

The attack begins with a phishing email containing a zip file named “chase_statement_march.zip.”

Upon extraction, a shortcut file (.lnk) executes concealed commands to download and run KoiLoader, leveraging a known Windows bug (ZDI-CAN-25373) to obscure malicious command-line arguments.

Once activated, KoiLoader downloads two JScript files and schedules their execution using the legitimate Windows tool “schtasks.exe.”

This approach ensures persistence while evading detection by making the parent process appear as “svchost.exe” instead of the more suspicious “explorer.exe.”

Advanced Evasion Techniques and Payload Delivery

KoiLoader demonstrates advanced anti-analysis techniques, including checks for virtual environments and specific usernames or computer names associated with security researchers.

According to the Report, it also verifies the presence of certain language identifiers (e.g., Russian or Ukrainian) to avoid targeting systems in specific regions.

The malware uses PowerShell scripts to disable security mechanisms like the Anti-Malware Scan Interface (AMSI) and downloads additional payloads, including KoiStealer a C#-based information stealer.

The payload is executed via shellcode injection, bypassing User Account Control (UAC) through an ICMLuaUtil COM interface exploit.

KoiLoader’s persistence mechanism involves creating scheduled tasks linked to machine-specific GUIDs, ensuring its reactivation even after system reboots.

Additionally, it employs mutex generation based on the C:\ drive’s serial number to prevent multiple instances from running simultaneously.

Command and Control Operations

For communication with its command-and-control (C2) server, KoiLoader uses HTTP POST requests containing encrypted data such as system GUIDs, OS details, and user information.

Commands received from the C2 include executing scripts via Command Prompt or PowerShell, performing process injections, and downloading additional malicious components.

The malware also incorporates a dynamic API resolution technique using hashing algorithms to obfuscate its functionality further.

This capability allows it to evade static detection methods effectively.

To counteract threats like KoiLoader, organizations should:

• Disable scripting engines such as wscript.exe via AppLocker or Windows Defender Application Control (WDAC).
• Implement comprehensive endpoint detection solutions capable of behavior-based analysis.
• Conduct regular phishing awareness training to mitigate social engineering risks.
• Enable detailed script logging to identify suspicious PowerShell activity proactively.

KoiLoader’s sophisticated delivery mechanisms and evasion capabilities highlight the growing complexity of modern malware threats, emphasizing the need for robust cybersecurity measures across all endpoints.

Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates