Summary: This content outlines a detection rule for identifying the PEAKLIGHT malware, which utilizes obfuscated PowerShell scripts to download files from a remote CDN based on certain conditions. The rule is part of Mandiant’s efforts to enhance cybersecurity by monitoring malicious activities on Windows platforms.
Threat Actor: Mandiant | Mandiant
Victim: Windows Users | Windows Users
Key Point :
- PEAKLIGHT is a PowerShell-based downloader that checks for specific files before downloading them from a remote CDN.
- The detection rule focuses on identifying specific strings and conditions related to the malware’s behavior.
- The rule requires at least four specific string matches and a file size of less than 10KB to trigger an alert.
rule M_Downloader_PEAKLIGHT_1 {
meta:
mandiant_rule_id = "e0abae27-0816-446f-9475-1987ccbb1bc0"
author = "Mandiant"
category = "Malware"
description = "This rule is designed to detect on events related to peaklight.
PEAKLIGHT is an obfuscated PowerShell-based downloader which checks for
the presence of hard-coded filenames and downloads files from a remote CDN
if the files are not present."
family = "Peaklight"
platform = "Windows"
strings:
$str1 = /functions{1,16}w{1,32}($w{1,32},s{1,4}$w{1,32})
{[IO.File]::WriteAllBytes($w{1,32},s{1,4}$w{1,32})}/ ascii wide
$str2 = /Expand-Archives{1,16}-Paths{1,16}$w{1,32}
s{1,16}-DestinationPath/ ascii wide
$str3 = /(w{1,32}s{1,4}@((d{3,6},){3,12}/ ascii wide
$str4 = ".DownloadData(" ascii wide
$str5 = "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12" ascii wide
$str6 = /.EndsWith(((["'].zip["'])|((w{1,32}s{1,16}@((d{3,6},){3}d{3,6}))))/ ascii wide
$str7 = "Add -Type -Assembly System.IO.Compression.FileSystem" ascii wide
$str8 = "[IO.Compression.ZipFile]::OpenRead"
condition:
4 of them and filesize < 10KB
}