A recent warning from GoogleMandiant’s cybersecurity company highlights a new strain of malware called Peaklight, which specifically targets individuals involved in downloading pirated movies. This malware poses serious risks, not only from potential legal issues but also from exposure to malware that could seriously harm Windows computers.
What is Peaklight malware?
According to Mandiant’s blog post (through Times of India), Peaklight operates stealthily in the computer’s memory, making detection difficult as it leaves no trace on the hard drive. The researchers describe it as a memory-only dropper that executes a PowerShell-based downloader, called PEAKLIGHT. This downloader has the ability to fetch additional malware onto a compromised system, further increasing the threat to users.
Also read: Smart Reply Powered by Google Gemini Coming to Gmail- All the Details
Mandiant explains that Peaklight uses a secret PowerShell script to inject additional malware onto infected devices. This approach allows cybercriminals to deliver a variety of harmful programs, including Lumma Stealer, Hijack Loader, and CryptBot. These programs are available as rental services, allowing attackers to steal sensitive data or take control of affected systems.
How Cybercriminals Deploy Peaklight
Cybercriminals have developed tactics to distribute Peaklight through fraudulent movie downloads. They hide dangerous Windows shortcut (LNK) files in ZIP folders masquerading as famous movies. When users open these files, a series of harmful actions occur:
Also read: Apple October Event 2024: M4 Macs, New iPads Expected; iPhone SE 4, Watch SE 3 will launch in 2025
1. Connect to hidden source: LNK files establish a link to a content delivery network (CDN), where it retrieves harmful JavaScript code. This code executes directly in the computer’s memory, bypassing detection on the hard drive.
2. Enable Downloader: The JavaScript activates a PowerShell script called Peaklight, creating a chain reaction that facilitates the spread of malware.
3. Download additional threats: Acting as a downloader, Peaklight fetches additional malware from remote servers, including programs such as Lumma Stealer, Hijack Loader, and CryptBot, which can compromise user data or gives the attacker control of the system.
Also read: WhatsApp users will soon get filters in the app’s built-in camera, here’s what we know
The report highlights that Peaklight’s operation in the computer’s memory (RAM) enhances its stealth capabilities. Traditional antivirus solutions often focus on scanning hard drives, making detecting this type of threat difficult.
Mandiant researchers Aaron Lee and Praveeth D’Souza said, “PEAKLIGHT is an obfuscated PowerShell-based downloader that forms part of a multi-stage execution chain that checks for the presence of ZIP archives in hardcoded file paths. If these repositories are not available, the downloader will contact the CDN site to download the remotely hosted archive file and save it to disk.”
Users should exercise caution when downloading content from unauthorized sources to avoid falling victim to malware such as Peaklight.
