Threat Research

PEAKLIGHT: Illuminating the Shadows

Traclabs
PEAKLIGHT: Illuminating the Shadows

PEAKLIGHT is a sophisticated PowerShell-based downloader identified by Mandiant that delivers malware-as-a-service infostealers through obfuscated scripts and various payloads. The initial infection vector involves Microsoft Shortcut Files (LNK) that execute PowerShell scripts to download malicious binaries. The campaign utilizes techniques like obfuscation and memory-only execution to evade detection. Affected Platform: Windows

Keypoints :

  • PEAKLIGHT is an obfuscated PowerShell downloader delivering malware-as-a-service infostealers.
  • The initial infection vector is a Microsoft Shortcut File (LNK) linking to a CDN hosting a JavaScript dropper.
  • Payloads include LummaC2, HijackLoader, and CryptBot, with the downloader also tracked as Emmenhtal loader.
  • PowerShell scripts are used to execute malicious binaries downloaded from specific URLs.
  • Obfuscation techniques are employed to hide the malicious payloads and evade detection.
  • TRAC Labs monitors the PEAKLIGHT campaign to identify new tactics, techniques, and procedures (TTPs).

MITRE Techniques :

  • T1071.001 ā€“ Application Layer Protocol: PowerShell is used to download and execute malicious payloads.
  • T1203 ā€“ Exploitation for Client Execution: Initial infection occurs through Microsoft Shortcut Files (LNK).
  • T1059.001 ā€“ PowerShell: The downloader uses PowerShell scripts to execute commands and download files.
  • T1064 ā€“ Scripting: The campaign employs obfuscated scripts to execute malicious actions.
  • T1486 ā€“ Data Encrypted for Impact: Payloads are designed to obfuscate their true purpose and evade detection.

Indicator of Compromise :

  • [url] hxxp://download.wsconnect[.]org/Downloads/Instruction_1928_W9COI.pdf.lnk
  • [url] hxxp://download.wsconnect[.]org/Downloads/Agreement%20for%20YouTube%20cooperation.pdf.lnk
  • [url] hxxps://docu-sign[.]info/api/uz/0912545164/update.bin
  • [url] hxxps://docu-sign[.]info/api/uz/0912545164/config.bin
  • Check the article for all found IoCs.

Full Research: https://medium.com/trac-labs/peaklight-illuminating-the-shadows-02a1bb44885c?source=rss-6a3005ed0ee2ā€”ā€”2