New PEAKLIGHT Dropper Deployed in Attacks Targeting Windows with Malicious Movie Downloads

Avatar
Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the ultimate goal of infecting Windows systems with information stealers and loaders. “This memory-only dropper decrypts and executes a PowerShell-based downloader,” Google-owned Mandiant said. “This PowerShell-based downloader is being tracked as PEAKLIGHT.” Some of

Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the ultimate goal of infecting Windows systems with information stealers and loaders.

“This memory-only dropper decrypts and executes a PowerShell-based downloader,” Google-owned Mandiant said. “This PowerShell-based downloader is being tracked as PEAKLIGHT.”

Some of the malware strains distributed using this technique are Lumma Stealer, Hijack Loader (aka DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, all of which are advertised under the malware-as-a-service (SaaS) model.

The starting point of the attack chain is a Windows shortcut (LNK) file that’s downloaded via drive-by download techniques — e.g., when users look up a movie on search engines. It’s worth pointing out that the LNK files are distributed within ZIP archives that are disguised as pirated movies.

The LNK file connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. The dropper subsequently executes the PEAKLIGHT PowerShell downloader script on the host, which then reaches out to a command-and-control (C2) server to fetch additional payloads.

Mandiant said it identified different variations of the LNK files, some of which leverage asterisks (*) as wildcards to launch the legitimate mshta.exe binary to discreetly run malicious code (i.e., the dropper) retrieved from a remote server.

In a similar vein, the droppers have been found to embed both hex-encoded and Base64-encoded PowerShell payloads that are eventually unpacked to execute PEAKLIGHT, which is designed to deliver next-stage malware on a compromised system while simultaneously downloading a legitimate movie trailer, likely as a ruse.

“PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths,” Mandiant researchers Aaron Lee and Praveeth D’Souza said.

“If the archives do not exist, the downloader will reach out to a CDN site and download the remotely hosted archive file and save it to disk.”

The disclosure comes as Malwarebytes detailed a malvertising campaign that employs fraudulent Google Search ads for Slack, an enterprise communications platform, to direct users to phony websites hosting malicious installers that culminate in the deployment of a remote access trojan named SectopRAT.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Webinar: Experience the Power of a Must-Have All-in-One Cybersecurity Platform

Next Post

Suspect in $14 billion cryptocurrency pyramid scheme extradited to China

Related Posts

French Diplomatic Entities Targeted in Russian-Linked Cyber Attacks

State-sponsored actors with ties to Russia have been linked to targeted cyber attacks aimed at French diplomatic entities, the country's information security agency ANSSI said in an advisory. The attacks have been attributed to a cluster tracked by Microsoft under the name Midnight Blizzard (formerly Nobelium), which overlaps with activity tracked as APT29, BlueBravo, Cloaked Ursa, Cozy Bear,
Avatar
Read More

‘Stargazer Goblin’ Creates 3,000 Fake GitHub Accounts for Malware Spread

A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year. The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to
Avatar
Read More