TL;DR
Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.
Overview
Mandiant Managed Defense identified a memory-only dropper and downloader delivering malware-as-a-service infostealers. During our investigation, Mandiant observed the malware download payloads such as LUMMAC.V2 (LUMMAC2), SHADOWLADDER, and CRYPTBOT. Mandiant identified the initial infection vector as a Microsoft Shortcut File (LNK) that connects to a content delivery network (CDN) hosting an obfuscated memory-only JavaScript dropper. Analysis of the payload revealed that it executes a PowerShell downloader script on the host. Mandiant named this final downloader PEAKLIGHT.
<
div class=”block-image_full_width”>
<div class="article-module h-c-page">
<div class="h-c-grid">
<figure class="article-image--large
h-c-grid__col
h-c-grid__col--6 h-c-grid__col--offset-3
">
<img alt="PEAKLIGHT Figure 1" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/peaklight-fig1.max-1000x1000.jpg" />
</a>
<figcaption class="article-image__caption "><p>Figure 1: Infection chain</p></figcaption>
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.