KoiLoader Exploits PowerShell Scripts to Drop Malicious Payloads

Cybersecurity experts at eSentire’s Threat Response Unit (TRU) uncovered a sophisticated malware campaign leveraging KoiLoader, a malicious loader designed to deploy information-stealing payloads.

This campaign utilized PowerShell scripts and obfuscation techniques to bypass security measures and infect systems.

The investigation revealed a multi-stage infection chain, highlighting the evolving tactics of cybercriminals.

Infection Chain and Delivery Mechanism

The attack begins with phishing emails containing links to zip files named “chase_statement_march.zip.”

Inside these zip files, victims encounter shortcut files (.lnk), which exploit a known Windows bug (ZDI-CAN-25373) to conceal malicious command-line arguments.

Upon execution, the shortcut file downloads two JScript files g1siy9wuiiyxnk.js and i7z1x5npc.js to the victim’s system.

These scripts orchestrate the malware’s persistence and payload delivery using scheduled tasks created through the LOLBin “schtasks.exe.”

The JScript files serve distinct purposes: g1siy9wuiiyxnk.js deletes the initial scheduled task and executes i7z1x5npc.js, while the latter retrieves PowerShell scripts from remote URLs.

According to the Report, these scripts disable security features like the Anti-Malware Scan Interface (AMSI) and download KoiLoader’s payload.

The malware ultimately executes shellcode via the CreateThread API, initiating its malicious operations.

KoiLoader’s Multi-Stage Execution

KoiLoader operates in two primary stages.

The first stage unpacks encrypted payloads stored within its PE file using a hashing algorithm to resolve Windows APIs such as FindResourceW and LoadResource.

These payloads are decrypted using XOR routines and executed in memory.

The second stage focuses on evasion and payload delivery.

It checks for virtual machine environments, security researcher tools, and sandbox attributes to avoid detection.

Additionally, it ensures the malware runs exclusively on non-Russian systems by verifying language settings.

Once evasion checks are passed, KoiLoader establishes persistence through scheduled tasks and creates mutexes based on the victim machine’s volume serial number to prevent duplicate instances.

It then downloads and executes KoiStealer, an advanced information-stealing malware written in C#.

KoiStealer extracts sensitive data such as machine GUIDs, usernames, OS versions, and domain information before communicating with Command-and-Control (C2) servers.

KoiLoader employs HTTP POST requests for C2 communication.

The initial request includes the victim machine’s GUID, campaign-specific build ID, and an X25519 public key for encrypted data exchange.

Subsequent requests retrieve commands encoded as single characters, enabling actions such as script execution via PowerShell or Command Prompt, process injection into explorer.exe or certutil.exe, and dynamic DLL loading.

To counter threats like KoiLoader, eSentire recommends disabling wscript.exe via AppLocker or Windows Defender Application Control (WDAC).

Organizations should implement behavior-based detection mechanisms alongside robust phishing awareness training programs to mitigate social engineering risks.

Deploying Next-Gen Antivirus (NGAV) or Endpoint Detection and Response (EDR) solutions is critical for detecting and containing advanced threats.

This discovery underscores the importance of proactive threat hunting and advanced cybersecurity measures in combating modern malware campaigns.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free