Recent cybersecurity research has uncovered an attack chain utilizing a memory-only malware downloader, known as PEAKLIGHT. This PowerShell-based downloader uses a multi-stage infection process, with a range of obfuscation techniques to evade detection and deliver infostealers such as CRYPTBOT, SHADOWLADDER, and LUMMAC.V2. The details of the PEAKLIGHT malware include the tactics employed by attackers, and the defense strategies necessary to counter the threat.
Understanding the PEAKLIGHT Malware Infection Chain
PEAKLIGHT was first detected in early 2024 by Mandiant, who noted that the malware was distributed via drive-by downloads, often masquerading as pirated movie files. Attackers package the infection vector in a ZIP archive, containing a malicious Windows Shortcut (LNK) file. When users attempt to access these pirated files, they unknowingly execute the LNK file, which initiates a connection to a Content Delivery Network (CDN) hosting an obfuscated JavaScript dropper. This is the beginning of a multi-stage infection chain.
Stage 1: Malicious LNK Files and Drive-By Downloads
The first stage of the PEAKLIGHT infection process involves the distribution of malicious ZIP files disguised as pirated movie content. These ZIP files contain LNK files, named to suggest they are media files, which exploit user trust. Once executed, these LNK files connect to a remote server, downloading an obfuscated JavaScript dropper that begins the process of infecting the victim’s system.
The use of LNK files for malware distribution is not a new tactic. Attackers use these files to disguise malicious code, and they have proven effective in past campaigns. In PEAKLIGHT’s case, the LNK files employed varied command-line parameters to evade detection. In some instances, the malware used the legitimate forfiles.exe utility to trigger PowerShell commands designed to download and execute malicious payloads.
Stage 2: PowerShell Downloader Deployment
The JavaScript dropper downloaded during the first stage of the attack delivers the PEAKLIGHT PowerShell-based downloader, which begins its main function: fetching and executing malware from a remote CDN.The downloader may retrieve different types of malware at this stage, depending on the campaign and the target system. Among the most commonly observed payloads are infostealers like CRYPTBOT and SHADOWLADDER.
One of the aspects of PEAKLIGHT is its use of memory-only execution techniques. The PowerShell scripts and downloaded payloads are never written to disk, making traditional detection methods like file-based antivirus tools ineffective. This in-memory execution allows PEAKLIGHT to remain under the radar of many endpoint detection and response (EDR) solutions.
Stage 3: CDN Abuse and Evasion Techniques
Another feature of PEAKLIGHT is its ability to abuse reputable CDN services to host and deliver malicious payloads. CDNs are used to improve the speed and efficiency of legitimate web services, and they are often trusted by security filters. By exploiting the trust placed in these networks, attackers can bypass web filtering solutions that might otherwise block malicious domains. This tactic has become increasingly common in cyberattacks, as it allows adversaries to distribute malware with reduced risk of detection.
In combination with CDN abuse, PEAKLIGHT utilizes multiple evasion techniques, including base64 and hex encoding of payloads, dynamic payload delivery, and the use of system binary proxy execution methods (such as leveraging mshta.exe) to launch malicious code indirectly. These techniques make PEAKLIGHT an adaptable malware, capable of evolving to bypass security measures.
Preventing PEAKLIGHT and Similar Threats
PEAKLIGHT presents challenges for organizations attempting to defend against it. Cybersecurity solutions that focus on in-memory protection and runtime defenses have proven effective in countering this type of malware. Morphisec, a leading cybersecurity firm specializing in runtime protection, has demonstrated the effectiveness of its Advanced Moving Target Defense (AMTD) technology in stopping PEAKLIGHT. AMTD creates a dynamic attack surface, making it difficult for malware to exploit vulnerabilities. Unlike traditional security solutions that rely on signature-based detection, AMTD operates at runtime, detecting and preventing attacks without prior knowledge of the specific threat. This approach allowed Morphisec to block PEAKLIGHT infections before they could execute, even in cases where traditional NGAV/EDR solutions failed to detect the malware. By continuously changing the memory layout and execution paths of applications, AMTD creates an unpredictable environment for attackers. This prevents malware from reliably executing its payloads, thereby stopping attacks in their tracks. Organizations that implement AMTD as part of a defense-in-depth strategy are better positioned to defend against PEAKLIGHT and other advanced threats.
PEAKLIGHT is a good example of the increasing sophistication of cyber threats targeting organizations today. With its multi-stage infection process, use of memory-only execution, and exploitation of CDN networks, PEAKLIGHT is designed to evade traditional security defenses. Technologies like Morphisec’s AMTD have proven effective in stopping such attacks by introducing unpredictability into the execution environment. As attackers continue to develop new techniques to evade detection, it is important for organizations to adopt dynamic, prevention-focused security solutions. The PEAKLIGHT campaign shows the importance of runtime protection and defense-in-depth strategies to protect against cyber threats. Cybersecurity teams must stay aware, regularly assess their security, and implement modern solutions capable of defending against these attacks.
Photo credits: Sashkin, AdobeStock
