Cybersecurity researchers have exposed a never-before-seen dropper that serves as a conduit to release next-stage malware with without equal objective of infecting Home windows techniques with knowledge stealers and loaders.
“This memory-only dropper decrypts and executes a PowerShell-based downloader,” Google-owned Mandiant mentioned. “This PowerShell-based downloader is being tracked as PEAKLIGHT.”
One of the most malware traces dispensed the usage of this method are Lumma Stealer, Hijack Loader (aka DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, all of which can be marketed below the malware-as-a-service (SaaS) fashion.
The place to begin of the assault chain is a Home windows shortcut (LNK) document that is downloaded by the use of drive-by obtain tactics — e.g., when customers glance up a film on engines like google. It is value stating that the LNK information are dispensed inside of ZIP archives which are disguised as pirated films.
The LNK document connects to a content material supply community (CDN) internet hosting an obfuscated memory-only JavaScript dropper. The dropper therefore executes the PEAKLIGHT PowerShell downloader script at the host, which then reaches out to a command-and-control (C2) server to fetch further payloads.
Mandiant mentioned it known other diversifications of the LNK information, a few of which leverage asterisks (*) as wildcards to release the authentic mshta.exe binary to discreetly run malicious code (i.e., the dropper) retrieved from a far flung server.
In a identical vein, the droppers had been discovered to embed each hex-encoded and Base64-encoded PowerShell payloads which are ultimately unpacked to execute PEAKLIGHT, which is designed to ship next-stage malware on a compromised machine whilst concurrently downloading a valid film trailer, most likely as a ruse.
“PEAKLIGHT is an obfuscated PowerShell-based downloader that is a part of a multi-stage execution chain that tests for the presence of ZIP archives in hard-coded document paths,” Mandiant researchers Aaron Lee and Praveeth D’Souza mentioned.
“If the archives don’t exist, the downloader will succeed in out to a CDN web site and obtain the remotely hosted archive document and put it aside to disk.”
The disclosure comes as Malwarebytes detailed a malvertising marketing campaign that employs fraudulent Google Seek advertisements for Slack, an undertaking communications platform, to direct customers to phony web pages internet hosting malicious installers that culminate within the deployment of a far flung get admission to trojan named SectopRAT.