PEAKLIGHT Downloader Deployed in Attacks Targeting Windows with Malicious Movie Downloads
Summary:
A complex multi-stage malware campaign utilizing a newly documented memory-only dropper has been observed by Mandiant in recent investigations and published on August 22, 2024. This dropper serves as a conduit for launching subsequent-stage malware. The unnamed dropper is designed to decrypt and execute a new PowerShell-based downloader, tracked as PEAKLIGHT. The ultimate goal of this attack chain is to infect Windows systems with information stealers and loaders such as Lumma Stealer, Hijack Loader, and CryptBot via a drive-by download technique. The initial access technique for this attack involves the distribution of malicious Windows shortcut (LNK) files hidden within ZIP archives that are disguised as pirated movies. These LNK files connect to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. This dropper subsequently executes the PEAKLIGHT PowerShell downloader script on the host, which then reaches out to a command-and-control (C2) server to deliver the stealer malware. Various techniques, including the use of asterisks (*) as wildcards and embedded hex-encoded or Base64-encoded PowerShell payloads that must be unpacked, have been observed to obfuscate the dropper and facilitate its stealthy execution. The activity observed in this incident showed that some variants continued to download legitimate movie trailers upon the execution of PEAKLIGHT along with the next-stage malware. This potentially assists in continuing the ruse and maintaining persistence in the compromised system.
Security Officer Comments:
The discovery of this new memory-only dropper highlights the ongoing evolution of malware distribution techniques. The attackers' use of sophisticated obfuscation methods and the leveraging of legitimate tools like mshta.exe underscores their determination to evade detection. The targeting of users searching for pirated movies is a common tactic employed by cybercriminals to deliver malware. This incident serves as a reminder of the risks associated with downloading content from untrusted sources such as digital piracy sites. LNK files are a common tactic used by threat actors to trick unsuspecting users into unknowingly executing malware because these files can be disguised as legitimate documents or programs, making them a very effective method for hiding in plain sight. Organizations should implement comprehensive security measures, including network segmentation, application whitelisting, and employee awareness training, to mitigate the initial access vector utilized by similar attacks. Furthermore, staying informed about the latest threat intelligence and adopting a proactive approach to security is essential in preventing and responding to new campaigns conducted by adversaries.
Suggested Corrections:
YARA Rules and Indicators of Compromise for this campaign are published here.
https://thehackernews.com/2024/08/new-peaklight-dropper-deployed-in.html
https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/
A complex multi-stage malware campaign utilizing a newly documented memory-only dropper has been observed by Mandiant in recent investigations and published on August 22, 2024. This dropper serves as a conduit for launching subsequent-stage malware. The unnamed dropper is designed to decrypt and execute a new PowerShell-based downloader, tracked as PEAKLIGHT. The ultimate goal of this attack chain is to infect Windows systems with information stealers and loaders such as Lumma Stealer, Hijack Loader, and CryptBot via a drive-by download technique. The initial access technique for this attack involves the distribution of malicious Windows shortcut (LNK) files hidden within ZIP archives that are disguised as pirated movies. These LNK files connect to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. This dropper subsequently executes the PEAKLIGHT PowerShell downloader script on the host, which then reaches out to a command-and-control (C2) server to deliver the stealer malware. Various techniques, including the use of asterisks (*) as wildcards and embedded hex-encoded or Base64-encoded PowerShell payloads that must be unpacked, have been observed to obfuscate the dropper and facilitate its stealthy execution. The activity observed in this incident showed that some variants continued to download legitimate movie trailers upon the execution of PEAKLIGHT along with the next-stage malware. This potentially assists in continuing the ruse and maintaining persistence in the compromised system.
Security Officer Comments:
The discovery of this new memory-only dropper highlights the ongoing evolution of malware distribution techniques. The attackers' use of sophisticated obfuscation methods and the leveraging of legitimate tools like mshta.exe underscores their determination to evade detection. The targeting of users searching for pirated movies is a common tactic employed by cybercriminals to deliver malware. This incident serves as a reminder of the risks associated with downloading content from untrusted sources such as digital piracy sites. LNK files are a common tactic used by threat actors to trick unsuspecting users into unknowingly executing malware because these files can be disguised as legitimate documents or programs, making them a very effective method for hiding in plain sight. Organizations should implement comprehensive security measures, including network segmentation, application whitelisting, and employee awareness training, to mitigate the initial access vector utilized by similar attacks. Furthermore, staying informed about the latest threat intelligence and adopting a proactive approach to security is essential in preventing and responding to new campaigns conducted by adversaries.
Suggested Corrections:
YARA Rules and Indicators of Compromise for this campaign are published here.
- Do not open emails or download software from untrusted sources like digital piracy sites
- Do not click on links or attachments in emails that come from unknown senders
- Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion)
- Emphasize the importance of Security Employee Awareness Training in your organization
- Backup important files frequently and store them separately from the main system
- Protect devices using antivirus, anti-spam, and anti-spyware software
- Report phishing emails to the appropriate security or I.T. staff immediately
https://thehackernews.com/2024/08/new-peaklight-dropper-deployed-in.html
https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/