Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the final word aim of infecting Home windows techniques with info stealers and loaders.
“This memory-only dropper decrypts and executes a PowerShell-based downloader,” Google-owned Mandiant stated. “This PowerShell-based downloader is being tracked as PEAKLIGHT.”
A few of the malware strains distributed utilizing this system are Lumma Stealer, Hijack Loader (aka DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, all of that are marketed below the malware-as-a-service (SaaS) mannequin.
The place to begin of the assault chain is a Home windows shortcut (LNK) file that is downloaded by way of drive-by obtain methods — e.g., when customers search for a film on serps. It is price declaring that the LNK information are distributed inside ZIP archives which might be disguised as pirated films.
The LNK file connects to a content material supply community (CDN) internet hosting an obfuscated memory-only JavaScript dropper. The dropper subsequently executes the PEAKLIGHT PowerShell downloader script on the host, which then reaches out to a command-and-control (C2) server to fetch extra payloads.
Mandiant stated it recognized totally different variations of the LNK information, a few of which leverage asterisks (*) as wildcards to launch the official mshta.exe binary to discreetly run malicious code (i.e., the dropper) retrieved from a distant server.
In an analogous vein, the droppers have been discovered to embed each hex-encoded and Base64-encoded PowerShell payloads which might be ultimately unpacked to execute PEAKLIGHT, which is designed to ship next-stage malware on a compromised system whereas concurrently downloading a official film trailer, seemingly as a ruse.
“PEAKLIGHT is an obfuscated PowerShell-based downloader that’s a part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths,” Mandiant researchers Aaron Lee and Praveeth D’Souza stated.
“If the archives don’t exist, the downloader will attain out to a CDN website and obtain the remotely hosted archive file and put it aside to disk.”
This isn’t the primary time customers trying to find pirated films have been focused by malware. Earlier this June, Kroll detailed a fancy an infection chain that led to the deployment of Hijack Loader after making an attempt to obtain a video file from a film obtain website.
The disclosure comes as Malwarebytes detailed a malvertising marketing campaign that employs fraudulent Google Search adverts for Slack, an enterprise communications platform, to direct customers to phony web sites internet hosting malicious installers that culminate within the deployment of a distant entry trojan named SectopRAT.
