Detecting Peaklight malware with Wazuh

Peaklight malware is an information stealer designed to collect sensitive data from compromised endpoints. It is frequently distributed through underground channels and, in some cases, offered as a Malware-as-a-Service (MaaS). Its flexible structure and frequent updates make it a continuously evolving and potent threat, capable of bypassing conventional security measures.

Peaklight leverages multiple anti-analysis mechanisms to evade detection. Its primary goal is to exfiltrate sensitive information, including login credentials, browser history, financial data, and cryptocurrency wallet keys. Once installed on a victim’s device, it maintains persistent access while avoiding common security checks. 

In this blog post, we illustrate how organizations can detect and respond to Peaklight malware on infected Windows endpoints.

Peaklight malware behavior

Below are some of the behaviors observed if the Peaklight malware is successfully executed on a Windows endpoint:The execution begins by running a PowerShell script that bypasses PowerShell’s security and prevents loading user profiles:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile  -ExecutionPolicy unrestricted -File C:\Users\ADMIN|~1\AppData\Local\Temp\07061f3fd8c15bdd484b55baa44191aa9d045c9889234550939f46c063e6211c.ps1

• It queries the system memory using the GlobalMemoryStatusEx API call. Low memory availability could indicate a virtual machine, suggesting the malware may attempt to detect sandbox environments.
• The Powershell script drops a file in the C:\Users\Administrator\AppData\Local\Temp\ folder with an obfuscated name.
• The malware allocates multiple 4KB to 8KB blocks of read-write-execute memory (using NtAllocateVirtualMemory), enabling code execution. This occurred repeatedly at various base addresses.
• The malware checks network adapter addresses using the GetAdaptersAddresses API.

Analyzed file

Hash type	Value
MD5	95361f5f264e58d6ca4538e7b436ab67
SHA256	07061f3fd8c15bdd484b55baa44191aa9d045c9889234550939f46c063e6211c

Infrastructure

We use the following infrastructure to demonstrate the detection of the Peaklight malware with Wazuh:

• A pre-built, ready-to-use Wazuh OVA 4.11.0 which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
• A Windows 11 victim endpoint with the Wazuh agent version 4.11.0 installed and enrolled to the Wazuh server.

Wazuh detection

We use the following methods to detect the Peaklight activities on a monitored Windows endpoint.

Windows endpoint

Follow the steps below to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred location. 

3. Download the sysmonconfig.xml file using PowerShell. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable:

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Using PowerShell with Administrator privileges, switch to the directory where the Sysmon executable is located. Then run the command below to install and start Sysmon:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Add the following configuration within the <ossec_config> block of the configuration file of the Wazuh agent located at C:\Program Files (x86)\ossec-agent\ossec.conf to forward Sysmon events to the Wazuh server:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Wazuh server

Create rules to detect the activities of the Peaklight malware on the monitored Windows endpoint.

1. Create a file peaklight_rules.xml in the /var/ossec/etc/rules/ directory:

# touch /var/ossec/etc/rules/peaklight_rules.xml

2. Add the following detection rules to the /var/ossec/etc/rules/peaklight_rules.xml file:

<group name="Peaklight, malware,">


<!-- Rogue file detection in temp folder -->

  <rule id="100601" level="12">
    <if_sid>92213</if_sid>
    <field name="win.eventdata.Image" type="pcre2">.*\\powershell\.exe</field>
    <field name="win.eventdata.TargetFilename" type="pcre2">(?i)C:\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp\\\\__PSScriptPolicyTest_[a-z0-9]{8}\.[a-z0-9]{3}\.ps1</field>
    <description>Possible Peaklight malware activity detected: A rogue executable was dropped in the temp directory.</description>
    <mitre>
        <id>T1059.001</id>
    </mitre>
  </rule>

<!-- Registry Modifications -->

  <rule id="100602" level="8">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.Image" type="pcre2">(?i)C:\\\\Program Files\\\\WindowsApps\\\\Microsoft\.WindowsTerminal_.*\\\\WindowsTerminal\.exe</field>
    <field name="win.eventdata.TargetObject" type="pcre2">(?i)HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+\\\\Microsoft\.WindowsTerminal_.*</field>
    <description>Suspicious use of WindowsTerminal.exe to modify BAM service registry keys, indicating potential persistence mechanism. </description>
    <mitre>
        <id>T1543.003</id> 
    </mitre>
  </rule>

<!-- DLL process injection -->
  <rule id="100603" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.Image" type="pcre2">.*\\powershell\.exe</field>
    <field name="win.eventdata.ImageLoaded" type="pcre2">(?i)[c-z]:\\\\Windows\\\\assembly\\\\NativeImages_v4\.0\.30319_64\\\\mscorlib\\\\.*\\\\mscorlib\.ni\.dll</field>
    <description>Possible Peaklight malware activity detected: PowerShell process loaded mscorlib.ni.dll, possibly indicating process injection.</description>
    <mitre>
        <id>T1055</id>
    </mitre>
  </rule>

  <rule id="100604" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.Image" type="pcre2">.*\\powershell\.exe</field>
    <field name="win.eventdata.ImageLoaded" type="pcre2">(?i)[c-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework64\\\\v4\.0\.30319\\\\clrjit\.dll</field>
    <description>Possible Peaklight malware activity detected: PowerShell process loaded clrjit.dll, indicating potential process injection.</description>
    <mitre>
        <id>T1055.001</id>
    </mitre>
  </rule>

  <rule id="100605" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.Image" type="pcre2">.*\\powershell\.exe</field>
    <field name="win.eventdata.ImageLoaded" type="pcre2">(?i)[c-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework64\\\\v4\.0\.30319\\\\mscoreei\.dll</field>
    <description>Possible Peaklight malware activity detected: PowerShell process loaded mscoreei.dll, indicating potential process injection.</description>
    <mitre>
        <id>T1055.001</id>
    </mitre>
  </rule>
</group>

Where:

• Rule ID 100601 is triggered when a malicious payload is dropped and cleaned up from the \temp directory.
• Rule ID 100602 is triggered when WindowsTerminal.exe modifies a BAM service registry to maintain persistence.
• Rule ID 100603 is triggered when  Peaklight malware injects mscorlib.ni.dll into C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib.
• Rule ID 100604 is triggered when  Peaklight malware injects clrjit.dll into C:\Windows\Microsoft.NET\Framework64\v4.0.30319.
• Rule ID 100605 is triggered when  Peaklight malware injects mscoreei.dll into C:\Windows\Microsoft.NET\Framework64\v4.0.30319.

3. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Detection results

Follow the steps below to view the alerts generated on the Wazuh dashboard when the Peaklight malware is executed on the Windows endpoint.

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then filter by rule.id.

3. In the Operator field, select is one of.

4. Search and select 100601, 100602, 100603, 100604, and 100605 in the Values field.

5. Click Save.

Removing malicious files with Wazuh using YARA integration

Detecting and removing malware before execution is a proactive defense strategy that prevents malicious files from running on monitored endpoints. The Wazuh File Integrity Monitoring (FIM)  module scans endpoints in real-time to detect file additions or modifications. Integrating Wazuh with threat intelligence platforms like YARA and VirusTotal, which are continuously updated with the latest malware signatures, helps organizations identify malicious files early. The Wazuh Active Response module then removes these files before it turns into a bigger risk, enhancing overall security by neutralizing threats at an early stage.

In this section, we illustrate how to detect and remove malicious files by leveraging the Wazuh integration with YARA.

We configure the Wazuh FIM module to track file modification or addition in a specific directory. When a change is detected in the monitored directory, the Wazuh Active Response module initiates a YARA scan which detects malicious files based on predefined rules.

Windows endpoint

Perform the steps below to set up the monitored endpoint for this integration.

1. Install the following prerequisites:

• Python 3.12.2 or later (with pip pre-installed).
• Microsoft Visual C++ 2015 Redistributable.

Note: Run PowerShell as an administrator

After installing the prerequisites, proceed with the following configuration:

2. Download YARA:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-win64.zip -OutFile v4.5.2-2326-win64.zip

3. Extract the downloaded YARA file:

> Expand-Archive v4.5.2-2326-win64.zip

4. Create a folder C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\v4.5.2-2326-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

5. To download the YARA rules, use the pip utility to install valhallaAPI. This API retrieves the public signature-based YARA ruleset:

> pip install valhallaAPI

6. Create a file download_yara_rules.py, and paste the below script into it:

from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()
with open('yara_rules.yar', 'w') as fh:
    fh.write(response)

7. Run the download_yara_rules.py script file to download YARA rules:

> python download_yara_rules.py

8. Create C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder and copy the rules into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

9. Edit the downloaded YARA rule C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar and add the following Peaklight malware rule:

rule M_AES_Encrypted_payload {
   meta:
      author = "MAS"
      reference = "https://www.mandiant.com/"
      description = "This rule is desgined to detect on events that exhibits indicators of utilizing AES encryption for payload obfuscation."
      target_entity = "Process"
  strings:
    $a = /(\$\w+\.Key(\s|)=((\s|)(\w+|));|\$\w+\.Key(\s|)=(\s|)\w+\('\w+'\);)/
    $b = /\$\w+\.IV/
    $c = /System\.Security\.Cryptography\.(AesManaged|Aes)/
  condition:
    all of them
}

rule M_Downloader_PEAKLIGHT_1 {
   meta:
      author = "MAS"
      reference = "https://www.mandiant.com/"
      description = "This rule is designed to detect events related to Peaklight. PEAKLIGHT is an obfuscated PowerShell-based downloader which checks for the presence of hard-coded filenames and downloads files from a remote CDN if the files are not present."
      category = "Malware"
   strings:
      $str1 = /function\s{1,16}\w{1,32}\(\$\w{1,32},\s{1,4}\$\w{1,32}\)\{\[IO\.File\]::WriteAllBytes\(\$\w{1,32},\s{1,4}\$\w{1,32}\)\}/ ascii wide 
      $str2 = /Expand-Archive\s{1,16}-Path\s{1,16}\$\w{1,32}\s{1,16}-DestinationPath/ ascii wide
      $str3 = /\(\w{1,32}\s{1,4}@\((\d{3,6},){3,12}/ ascii wide
      $str4 = ".DownloadData(" ascii wide
      $str5 = "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12" ascii wide
      $str6 = /\.EndsWith\(((["']\.zip["'])|(\(\w{1,32}\s{1,16}@\((\d{3,6},){3}\d{3,6}\)\)))/ ascii wide
      $str7 = "Add -Type -Assembly System.IO.Compression.FileSystem" ascii wide
	 $str8 = "[IO.Compression.ZipFile]::OpenRead"
   condition:
	 4 of them and filesize < 10KB         
}

Where:

• $a matches strings indicating the assignment of an AES key.
• $b matches strings indicating the use of an Initialization Vector (IV) for AES encryption.
• $c matches strings referencing AES encryption classes in .NET (e.g., System.Security.Cryptography.AesManaged)
• $str1 matches PowerShell functions that write bytes to a file (e.g., [IO.File]::WriteAllBytes).
• $str2 matches PowerShell commands that expand archives (e.g., Expand-Archive -Path $var -DestinationPath).
• $str3 matches arrays of numbers, often used for encoding or obfuscation 
• $str4 matches methods used to download data (e.g., .DownloadData().)
• $str5 matches the enforcement of TLS 1.2 for secure communication (e.g., [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12).
• $str6 matches strings indicating file extensions, particularly .zip
• $str7 matches the addition of the System.IO.Compression.FileSystem assembly for handling compressed files.
• $str8 matches the use of [IO.Compression.ZipFile]::OpenRead to read ZIP files.

10. Monitor the Downloads folder of all users in real-time by adding the below configuration  within the <syscheck> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file:

<directories realtime="yes">C:\Users\*\Downloads</directories>

Note: In this blog post, we only monitored the Downloads folder of all users. However, you can configure other directories you wish to monitor.

11. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder and copy the below script into it. The Wazuh Active Response module runs this script to perform YARA scans for malware detection and removal:

:: This script deletes Peaklight malware executable as well as other malicious files matched by the YARA Rules
 
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%
FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (
SET syscheck_file_path=%%F
)
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
    :: Deleting the scanned file.
	del /f "%syscheck_file_path%" >nul 2>&1
if exist "%syscheck_file_path%" (
    echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path%
) else (
    echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path%
)
 )
exit /b

12. Restart the Wazuh agent to apply the changes:

> Restart-Service -Name wazuh

Wazuh server

Perform the following steps to configure custom decoders, rules, and the Wazuh Active Response module on the Wazuh server.

1. Edit the file /var/ossec/etc/decoders/local_decoder.xml and include the following decoders:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>
<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

2. Edit the file /var/ossec/etc/rules/local_rules.xml on the Wazuh server and include the following rules:

<!-- File added to the Downloads folder -->
<group name= "syscheck,">
  <rule id="100010" level="7">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File modified in the Downloads folder.</description>
  </rule>

<!-- File modified in the Downloads folder -->
  <rule id="100011" level="7">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File added to the Downloads folder.</description>
  </rule>
</group>

<!--  Rule for the decoder (yara_decoder) -->
<group name="yara,">
  <rule id="100012" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>


<!--  YARA scan detects a positive match -->
  <rule id="100013" level="7">
    <if_sid>100012</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Scan result: </match>
    <description>Yara scan result: File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>
  <rule id="100014" level="7">
    <if_sid>100012</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
    <description>Active Response: Successfully removed "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>

<!--  Wazuh encounters an error when deleting malware with a positive match -->
  <rule id="100015" level="12">
    <if_sid>100012</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
<description>Active Response: Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>
</group>

Where:

• Rule ID 100010 is triggered when a file is modified in the Downloads directory.
• Rule ID 100011 is triggered when a file is added to the Downloads directory.
• Rule ID 100012 is the base rule for detecting YARA events.
• Rule ID 100013 is triggered when YARA scans and detects a malicious file.
• Rule ID 100014 is triggered when the detected file has been successfully removed by the Wazuh active response module.
• Rule ID 100015 is triggered when the detected file is not removed successfully by Wazuh Active Response module.

3. Append the following configuration to the Wazuh server configuration file /var/ossec/etc/ossec.conf:

<ossec_config>

  <!-- The YARA batch script is executed when a file is added or modified in the Downloads folder monitored by Wazuh -->
  <command>
    <name>yara</name>
    <executable>yara.bat</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <command>yara</command>
    <location>local</location>
    <rules_id>100010,100011</rules_id>
  </active-response>

</ossec_config>

The Wazuh Active Response module runs the yara.bat script when a file is added or modified in the Downloads folder.

Where:

• <name> specifies that yara is the name of the command being called in the active response section.
• <executable> specifies that yara.bat is the executable file to run.
• <command> specifies the command that the active response will use.
• The <active response> block calls the <command> block when the rule ID 100010 or 100011 is triggered.
• <location> specifies where the active response script is executed.

4. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Visualizing alerts on the Wazuh dashboard

When the Peaklight malware executable is added to the Downloads folder of the victim endpoint and removed by the Wazuh Active Response module, alerts are generated on the Wazuh dashboard.

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then, filter for rule.id in the Field field.

3. Filter for is one of in the Operator field.

4. Filter for  100010, 100011, 100013, 100014, and 553,  in the Values field.

5. Click Save.

Conclusion

In this blog post, we demonstrated how organizations can identify Peaklight malware activities on monitored Windows endpoints. By leveraging Sysmon, we obtained detailed insights into critical system activities such as process creation, network connections, and file modifications. This allowed us to gather precise information on the malware’s behavior, enhancing our ability to detect and analyze its actions effectively. We developed Wazuh detection rules to detect malicious behavior related to Peaklight malware.

Wazuh is a free open source security platform providing a wide range of capabilities to monitor and safeguard your infrastructure against malicious activities. If you have any questions about this blog post or Wazuh, we invite you to join our Slack community, where our team is available to assist you.

References

• The Hacker News – Peaklight malware
• Wazuh File integrity monitoring and YARA
• Wazuh VirusTotal integration