Summarize

Simplifying... Inshort

Beware of pirated movie downloads!
Cybercriminals are using them to spread a malware called 'Peaklight'.
Hidden within deceptive movie downloads, this malware activates when you open the file, leading to a series of harmful actions that can compromise your system.
It operates stealthily within your computer's RAM, making it harder to detect.
So, think twice before you download that popular film illegally!

Was a long read? Making it simpler...

Next Article

The unique feature of Peaklight is its ability to operate undetected within a computer's memory

Pirated movies could expose you to 'Peaklight' malware, warns Google

By Akash Pandey

Sep 27, 2024

06:04 pm

What's the story

Google's cybersecurity division, Mandiant, has issued a warning about a new malware strain called Peaklight. This malicious software specifically targets individuals who download pirated movies, posing significant risks to their computers. The unique feature of Peaklight is its ability to operate undetected within a computer's memory (RAM), leaving no traces on the hard drive and making it difficult for traditional antivirus solutions to detect.

Malware mechanics

Peaklight's stealthy operation and threat escalation

Peaklight is described as a memory-only dropper that triggers a PowerShell-based downloader, also named PEAKLIGHT. This downloader can introduce additional harmful software onto the compromised system, further escalating the threat to users. Mandiant explains that Peaklight uses a covert PowerShell script to inject more malware onto infected devices, allowing cybercriminals to deliver various harmful programs.

Distribution strategy

Cybercriminals use deceptive movie downloads to spread Peaklight

Cybercriminals are using deceptive movie downloads to distribute Peaklight. They hide dangerous Windows shortcut files (LNKs) within ZIP folders disguised as popular films. When a user opens these files, a series of harmful actions begin, starting with the LNK file establishing a connection to a content delivery network (CDN) where it retrieves malicious JavaScript code. This code executes directly in the computer's RAM, bypassing detection on the hard drive.

Malware activation

Activation and threat escalation

The JavaScript code retrieved by the LNK file triggers Peaklight, initiating a chain reaction that facilitates the malware's spread. Acting as a downloader, Peaklight fetches further malware from a remote server. These include programs such as Hijack Loader, Lumma Stealer, and CryptBot which can compromise user information or grant attackers control over the system. The report underscores that Peaklight's operation within the computer's RAM enhances its stealthiness.

Expert insights

Mandiant researchers explain Peaklight's execution process

Mandiant researchers Aaron Lee and Praveeth D'Souza explained, "PEAKLIGHT is an obfuscated PowerShell-based downloader that forms part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths." They further added, "If these archives are absent, the downloader contacts a CDN site to download the remotely hosted archive file and saves it to the disk." This explanation provides insight into how Peaklight operates and spreads.