Peaklight malware has emerged as a significant threat, designed to steal sensitive information from compromised endpoints.
This information stealer is often distributed through underground channels and is sometimes offered as a Malware-as-a-Service (MaaS), making it a continuously evolving and potent threat capable of bypassing conventional security measures.
Peaklight’s primary goal is to exfiltrate sensitive data, including login credentials, browser history, financial data, and cryptocurrency wallet keys, while maintaining persistent access to the victim’s device and avoiding common security checks.
Detection and Response Strategies
To combat Peaklight malware, organizations can leverage tools like Wazuh, a free open-source security platform, to monitor and safeguard their infrastructure.
Wazuh integrates with Sysmon to gather detailed insights into system activities such as process creation, network connections, and file modifications.
This integration allows for the development of specific detection rules that can identify Peaklight’s malicious behavior.
For instance, Wazuh can detect when PowerShell scripts are executed with unrestricted policies, which is a common tactic used by Peaklight to bypass security measures.
According to the Report, Wazuh also integrates with YARA, a tool used for identifying and classifying malware, to detect and remove malicious files proactively.
By configuring Wazuh’s File Integrity Monitoring (FIM) module to track file modifications in specific directories, organizations can initiate YARA scans to identify malicious files based on predefined rules.
This proactive approach enhances security by neutralizing threats early, preventing them from executing on monitored endpoints.
Technical Details of Peaklight Malware
Peaklight malware executes by running a PowerShell script that bypasses PowerShell’s security and prevents loading user profiles.
It queries system memory using the GlobalMemoryStatusEx API, which may help detect sandbox environments.
The malware allocates memory blocks for code execution and checks network adapter addresses using the GetAdaptersAddresses API.
Peaklight also employs anti-analysis mechanisms to evade detection, making it challenging for traditional security systems to identify and mitigate its activities.
In response to these sophisticated tactics, Wazuh’s detection rules are designed to identify specific behaviors associated with Peaklight, such as rogue file detection in temporary directories and suspicious registry modifications.
These rules trigger alerts on the Wazuh dashboard, allowing organizations to monitor and respond to Peaklight malware activities effectively.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
