A novel dropper has been identified that acts as a conduit for deploying next-stage Malware, ultimately aiming to infect Windows systems with information stealers and loaders.
This memory-resident dropper decrypts and runs a PowerShell-based downloader,” stated Google-owned Mandiant. This PowerShell-based downloader is being tracked as PEAKLIGHT.
This method is used to distribute various malware strains, including Lumma Stealer, Hijack Loader (also known as DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, all offered through a malware-as-a-service {MaaS} Model.
The attack chain begins with a Windows shortcut (LNK) file, which is obtained through drive-by download methods, such as when users search for movies on search engines. These LNK files are often contained in ZIP archives that are falsely presented as pirated movies.
Once executed, the ‘LNK‘ file connects to a content delivery network (CDN) that hosts an obfuscated, in-memory JavaScript dropper. This dropper then triggers the execution of the PEAKLIGHT PowerShell downloader script on the system, which contacts a command-and-control (C2) server to download additional payloads. If the required archives are unavailable, the downloader will attempt to retrieve the archive file from a CDN site and store it on the local disk.