Uncovering a New Dropper: PEAKLIGHT Malware Threat Intelligence – Aug 23, 2024 by Ravie Lakshmanan

In a recent discovery, cybersecurity researchers have identified a new dropper that acts as a pathway to launch advanced malware aimed at infecting Windows systems with information stealers and loaders. The dropper, known as PEAKLIGHT, decrypts and executes a PowerShell-based downloader, facilitating the delivery of malware strains like Lumma Stealer, Hijack Loader, and CryptBot under the malware-as-a-service model.

The attack chain commences with the distribution of Windows shortcut (LNK) files disguised within ZIP archives posing as pirated movies. When users unknowingly download these files through drive-by download methods, a memory-only JavaScript dropper hosted on a content delivery network (CDN) is triggered. This dropper executes the PEAKLIGHT PowerShell downloader script, which then connects to a command-and-control (C2) server to retrieve additional payloads.

The researchers at Mandiant have observed various iterations of the LNK files leveraging wildcards and encoding techniques to discreetly run malicious code retrieved from remote servers. The droppers embed PowerShell payloads encoded in hex or Base64 formats, aiming to deploy PEAKLIGHT for delivering next-stage malware while simultaneously downloading a legitimate movie trailer to mask the malicious activity.

According to Mandiant researchers Aaron Lee and Praveeth D’Souza, PEAKLIGHT operates as an obfuscated PowerShell-based downloader that forms part of a multi-stage execution chain. The researchers caution users to remain vigilant against such threats, especially as Malwarebytes recently disclosed a malvertising campaign utilizing fake Google Search ads for Slack to distribute a remote access trojan named SectopRAT.

This revelation underscores the evolving landscape of cyber threats and the need for enhanced vigilance and security measures to combat such sophisticated attacks. Stay tuned for more updates on cybersecurity developments.