PEAKLIGHT: New Memory-Only Malware Employs PowerShell Infiltration
Mandiant has identified a new type of malware that operates solely within system memory and employs a sophisticated infection chain. The PEAKLIGHT loader decodes and deploys infostealers based on PowerShell.
The infection chain begins when victims download ZIP archives containing pirated movies. These archives include LNK files disguised as videos. Upon opening the LNK file, a hidden JavaScript dropper is activated, which executes a PowerShell script. The dropper operates entirely in system memory, allowing it to evade detection by traditional security methods.
The PowerShell script downloads the next-stage malware from a remote server and executes it on the victim’s computer. The malicious JavaScript is encoded using decimal ASCII codes, which are then decoded into the malicious code (PEAKLIGHT). This code creates an ActiveX object, which is used to obtain system privileges and execute commands.
Once the PEAKLIGHT script is decoded and activated, the PowerShell loader checks for predefined files in system directories and downloads any missing files from a remote server. Depending on the execution variant, PEAKLIGHT stores the downloaded files in AppData or ProgramData.
The final stage of the infection involves downloading and executing archives containing various types of malware, including LUMMAC.V2, SHADOWLADDER, and CRYPTBOT. The malicious archives (L1.zip and K1.zip) contain executable files and DLLs designed to steal data and install additional malicious components.
To disguise its activities, the loader plays video clips so that the victim does not suspect a threat. The video is played through standard Windows tools, such as Windows Media Player, creating the impression that the user has merely opened a video file.
To distribute the files, the attackers utilize legitimate CDNs, enabling them to bypass security measures that do not suspect malicious activity from trusted sources. Experts advise closely monitoring networks and regularly updating security tools. If infection is suspected, it is recommended to seek assistance from professionals.
