August 23, 2024 at 12:18PM
Cybersecurity researchers revealed a new dropper facilitating the distribution of information stealers and loaders on Windows systems. The dropper decrypts and executes a PowerShell-based downloader, known as PEAKLIGHT, which then fetches additional malware payloads. The attack chain begins with the distribution of Windows shortcut (LNK) files within ZIP archives disguised as pirated movies through drive-by download techniques.
From the meeting notes, it is clear that cybersecurity researchers have uncovered a sophisticated malware distribution technique involving a memory-only dropper and a PowerShell-based downloader called PEAKLIGHT. This downloader is part of a multi-stage execution chain designed to deliver next-stage malware while simultaneously downloading a legitimate movie trailer, likely as a distraction.
The attack starts with a Windows shortcut file downloaded via drive-by download techniques, disguised as pirated movies within ZIP archives. Once executed, the LNK file connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper, which then runs the PEAKLIGHT PowerShell downloader script.
PEAKLIGHT reaches out to a command-and-control (C2) server to fetch additional payloads and is capable of handling both hex-encoded and Base64-encoded PowerShell payloads. Malware strains distributed using this technique include Lumma Stealer, Hijack Loader, and CryptBot, all of which are offered under the malware-as-a-service (SaaS) model.
Additionally, the notes mention another malvertising campaign that employs fraudulent Google Search ads for Slack to direct users to websites hosting malicious installers, ultimately deploying a remote access trojan named SectopRAT.
The meeting notes provide a comprehensive overview of the malware and threat intelligence discussed, and the key takeaways have been accurately summarized.