Decoding the Stealthy Memory-Only Malware
Aug. 23, 2024, 9:31 a.m.
Description
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloader script, PEAKLIGHT, responsible for retrieving additional payloads from a content delivery network. The report examines different variations of PEAKLIGHT and the malware it delivers, including LUMMAC.V2, SHADOWLADDER, and CRYPTBOT. The analysis highlights the obfuscation techniques employed by the threat actors, such as system binary proxy execution and CDN abuse.
Tags
Date
- Created: Aug. 23, 2024, 9:11 a.m.
- Published: Aug. 23, 2024, 9:11 a.m.
- Modified: Aug. 23, 2024, 9:31 a.m.
Indicators
- bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5
- 9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6
- 6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf
- 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
- 62.133.61.56
- https://forikabrof.click/flkhfaiouwrqkhfasdrhfsa.png
- https://brewdogebar.com/code.vue
- http://gceight8vt.top/upload.php
- http://62.133.61.56/Downloads/Full%20Video%20HD%20
- http://62.133.61.56/Downloads/Full
- http://62.133.61.56/Downloads
- tropicalironexpressiw.shop
- gceight8vt.top
- forikabrof.click
- brewdogebar.com
- understanndtytonyguw.shop
- relaxtionflouwerwi.shop
- patternapplauderw.shop
- messtimetabledkolvk.shop
- horsedwollfedrwos.shop
- detailbaconroollyws.shop
- deprivedrinkyfaiir.shop
- considerrycurrentyws.shop
Attack Patterns
- SHADOWLADDER
- LUMMAC.V2
- CRYPTBOT
- T1218.005