A recent warning from Google‘s cybersecurity firm Mandiant highlights a new malware strain named Peaklight, specifically aimed at individuals who engage in pirated movie downloads. This malware presents serious risks, not only from potential legal issues but also from exposure to harmful software that can severely compromise Windows computers.
What is Peaklight Malware?
According to Mandiant’s blog post (via Times of India), Peaklight operates stealthily within a computer’s memory, making detection challenging as it leaves no trace on the hard drive. Researchers describe it as a memory-only dropper that executes a PowerShell-based downloader, referred to as PEAKLIGHT. This downloader is capable of fetching additional malicious software onto the compromised system, heightening the threat posed to users.
Also read: Google Gemini-powered Smart Replies coming to Gmail- All details
Mandiant explains that Peaklight employs a covert PowerShell script to introduce more malware onto infected devices. This approach allows cybercriminals to deliver various harmful programs, including Lumma Stealer, Hijack Loader, and CryptBot. These programs are available as services for rent, enabling attackers to steal sensitive data or seize control of affected systems.
How Cybercriminals Deploy Peaklight
Cybercriminals have developed tactics to distribute Peaklight through deceptive movie downloads. They conceal dangerous Windows shortcut files (LNKs) within ZIP folders masquerading as popular films. When a user opens these files, a series of harmful actions unfolds:
Also read: Apple October event 2024: New M4 Macs, iPads expected; iPhone SE 4, Watch SE 3 to arrive in 2025
1. Connection to a Hidden Source: The LNK file establishes a link to a content delivery network (CDN), where it retrieves harmful JavaScript code. This code executes directly in the computer’s memory, bypassing detection on the hard drive.
2. Activation of the Downloader: The JavaScript triggers a PowerShell script named Peaklight, setting off a chain reaction that facilitates the malware’s spread.
3. Downloading Additional Threats: Acting as a downloader, Peaklight fetches further malware from a remote server, including programs like Lumma Stealer, Hijack Loader, and CryptBot, which can compromise user data or grant attackers control over the system.
Also read: WhatsApp users to soon get filters in app’s built-in camera, here’s what we know
The report emphasises that Peaklight’s operation within the computer’s memory (RAM) enhances its stealth. Traditional antivirus solutions often focus on hard drive scans, making it difficult to detect this type of threat.
Mandiant researchers Aaron Lee and Praveeth D’Souza state, “PEAKLIGHT is an obfuscated PowerShell-based downloader that forms part of a multi-stage execution chain that checks for the presence of ZIP archives in hard-coded file paths. If these archives are absent, the downloader contacts a CDN site to download the remotely hosted archive file and saves it to the disk.”
Users are advised to exercise caution when downloading content from unauthorised sources to avoid falling victim to malware like Peaklight.