New Cyber Threat Uncovered: Sophisticated Malware Dropper Targeting Windows Systems
Cybersecurity experts have recently identified a previously unknown dropper that acts as a gateway for deploying advanced malware with the ultimate aim of compromising Windows systems. This discovery marks a significant development in the ongoing fight against cyber threats, particularly those focusing on data exfiltration and system manipulation.
According to research conducted by Mandiant, a subsidiary of Google, this new threat is characterized as a memory-only dropper that decrypts and initiates a PowerShell-based downloader, referred to as PEAKLIGHT. This method of operation indicates a focus on stealthiness, as memory-only threats can evade traditional file-based detection techniques.
The malware strains delivered through this mechanism include notable names such as Lumma Stealer, Hijack Loader (also known as DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot. These threats are part of a malware-as-a-service (SaaS) model, underlining their accessibility to less sophisticated cybercriminals across the globe.
The attack begins with the distribution of a malicious Windows shortcut (LNK) file, often delivered through drive-by download tactics when users search for pirated movies online. Alarmingly, these LNK files are typically contained within ZIP archives masquerading as pirated media, preying on unsuspecting users. The LNK file connects to a content delivery network (CDN), from where it retrieves a malicious JavaScript dropper designed to remain hidden in memory. This dropper subsequently loads the PEAKLIGHT downloader, which communicates with a command-and-control (C2) server to download further malicious payloads.
Mandiant’s analysis revealed various versions of the LNK files, with some employing asterisks as wildcards to discreetly execute the legitimate mshta.exe binary. This allows the dropper to run malicious code sourced from a remote server, enhancing its stealth capabilities. Additionally, some droppers utilize hex-encoded and Base64-encoded PowerShell scripts that are unpacked upon execution, promoting further malware delivery while often disguising the activity by downloading benign content, such as a legitimate movie trailer.
Aaron Lee and Praveeth D’Souza from Mandiant noted that PEAKLIGHT not only serves as a downloader for additional malware but also conducts checks for specific ZIP archives on the file system. Should these archives not be found, PEAKLIGHT will reach out to download a remote archive file, effectively ensuring persistence on the compromised system.
This incident underscores a broader trend in which cybercriminals exploit the search for pirated content as a vector for deploying malware. Previously in June, a similar case was reported by Kroll, which detailed an infection chain resulting in the distribution of Hijack Loader after users attempted to download video files from dubious websites.
The potential implications for U.S.-based businesses are significant. The attack methodology aligns with several techniques outlined in the MITRE ATT&CK framework, particularly under the tactics of initial access through compromised media and persistence strategies utilizing memory and fileless attacks. Techniques such as PowerShell execution and the use of trusted processes for execution are likely components of this sophisticated threat landscape.
As cybercriminals continue to adapt their strategies, it is imperative for businesses to remain vigilant, ensuring robust cybersecurity measures are in place to counter these evolving threats. The continued targeting of unsuspecting users seeking pirated content highlights the need for education and awareness in the workforce about the risks associated with such activities.
Source Link : https://thehackernews.com/2024/08/new-peaklight-dropper-deployed-in.html
