One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8562014 |
| Date de publication | 2024-08-22 14:00:00 (vue: 2024-08-22 15:18:10) |
| Titre | PEAKLIGHT: Décodage du malware furtif en mémoire uniquement PEAKLIGHT: Decoding the Stealthy Memory-Only Malware |
| Texte | Written by: Aaron Lee, Praveeth DSouza
TL;DR Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT. Overview Mandiant Managed Defense identified a memory-only dropper and downloader delivering malware-as-a-service infostealers. During our investigation, Mandiant observed the malware download payloads such as LUMMAC.V2 (LUMMAC2), SHADOWLADDER, and CRYPTBOT. Mandiant identified the initial infection vector as a Microsoft Shortcut File (LNK) that connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. Analysis of the payload revealed that it executes a PowerShell downloader script on the host. Mandiant named this final downloader PEAKLIGHT. 
Figure 1: Infection chain
Infection Chain
Stage 1: Movie Lures; A Blast from the Past
In recent investigations, Mandiant identified victims downloading malicious ZIP files disguised as pirated movies. These archives contained a malicious Microsoft Shortcut File (LNK) following the filename schema seen in Figure 2:
* Video_mp4_1080p_x264.zip -> The Movie (HD).lnk
* Video_mp4_[1080p].zip -> Full Movie 1080p HD.lnk
* @!Movie_HD_1080p_mp4_@!.zip -> Full Movie HD (1080p).lnk
* mp4_Full_Video_HD_1080p@!.zip -> Full Video (HD) mp4.lnk
Figure 2: Initial infection
During an associated investigation within a client environment, Mandiant identified anomalous outbound network activity to the IP address 62.133.61[.]56. The XML page seen in Figure 3 was subsequently discovered at the URL hxxp://62.133.61[.]56/Downloads.
|
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $aqu $byu $ega $env:appdata $env:programdata $str1 $str2 $str3 $str4 $str5 $str6 $str7 $str8 $xfw /downloads/full /expand /function /system 005: 059d94e8944eca4056e92d60f7044f14 0816 1080p 1080p@ 10: 10kb 1120 11: 11:01:44 12: 133 13: 17d6b3e5205a12a0460 1987ccbb1bc0 2024 20hd 20video 236c709bbcb92aa30b7e67705ef7f55a 281080p 307f40ebc6d8a207455c96d34759f1f3 43939986a671821203bf9b6ba52a51b4 446f 47eee41b822d953c47434377006e01fe 56/downloads 56/downloads/full 58c4ba9385139785e9700898cb097538 619 62f20122a70c0f86a98ff14e84bcc999 91423dd4f34f759aaf82aa73fa202120 9475 95361f5f264e58d6ca4538e7b436ab67 ::openread ::securityprotocol= ::tls12 ::writeallbytes |
| Tags | Malware Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.