Saturday, December 14, 2024
Homecyber securityWebdav Malicious File Hosting Powering Stealthy Malware Attacks

Webdav Malicious File Hosting Powering Stealthy Malware Attacks

Published on

SIEM as a Service

A new method of attack has emerged that leverages WebDAV technology to host malicious files. This approach, which facilitates the distribution of the Emmenhtal loader—also known as PeakLight—has been under scrutiny since December 2023.

The loader is notorious for its stealthy, memory-only execution and its role in distributing various infostealers worldwide.

This article delves into the use of WebDAV for malicious purposes, the range of malware distributed through this infrastructure, and the potential for this setup to be part of a broader “Infrastructure-as-a-Service” (IaaS) offering to cybercriminals.

- Advertisement - SIEM as a Service

The Role of WebDAV in Malicious File Hosting

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to manage files on web servers.

While it has legitimate applications in collaborative environments, cybercriminals have increasingly exploited it for malicious activities.

The Sekoia TDR team identified over 100 malicious WebDAV servers involved in distributing the Emmenhtal loader.

These servers host weaponized “.lnk” files designed to download further malicious payloads using “mshta.exe,” a legitimate Microsoft executable. 

This method provides a high degree of stealth, as using trusted system binaries like “mshta.exe” helps bypass security controls.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Separating the hosting server for initial “.lnk” files from the payload server complicates detection and attribution efforts.

Detailed Analysis of Malware Delivered via WebDAV

Sekoia’s investigation revealed a diverse array of malware distributed through this infrastructure, highlighting its versatility.

Notable malware families include SelfAU3, DarkGate, Amadey, Lumma, Remcos, MeduzaStealer, DANABOT, ACR Stealer, Asyncrat, Stealit, Cryptbot, XWORM, and DEERSTEALER.

Each was delivered through WebDAV-hosted “.lnk” files with URLs adjusted to minimize direct exposure.

Table: Malware Families and Their Corresponding URLs

Malware FamilyURL
SelfAU391[.]92[.]251[.]35/Downloads/solaris-docs[.]lnk
DarkGate206[.]188[.]196[.]28/Downloads/example[.]lnk
Amadey147[.]45[.]79[.]82/Downloads/qqeng[.]pdf[.]lnk
Lumma91[.]92[.]243[.]198:81/Downloads/test[.]lnk
Remcos89[.]23[.]107[.]244/Downloads/Test[.]lnk
MeduzaStealer94[.]156[.]64[.]74/Downloads/SecretTeachings[.]pdf[.]lnk
DANABOT151[.]236[.]17[.]180/Wire%20Confirmation/WireConfirmation[.]pdf[.]lnk
ACR Stealer62[.]133[.]61[.]104/Downloads/test[.]pdf[.]lnk
Asyncrat62[.]133[.]61[.]101/Downloads/Invoice[.]pdf[.]lnk
Stealit62[.]133[.]61[.]37/Downloads/config[.]txt[.]lnk
Cryptbot89[.]23[.]103[.]56/Downloads/Videof/Full%20Video%20HD%20%281080p%29[.]lnk
XWORM62[.]133[.]61[.]73/Downloads/Photo[.]lnk
DEERSTEALER92[.]118[.]112[.]253/Downloads/releaseform.pdf.lnk

The diversity of malware payloads suggests that this WebDAV infrastructure may be part of a more extensive cybercriminal operation offering IaaS to multiple threat actors.

Key observations supporting this hypothesis include:

  • Diversity of Final Payloads: The wide range of malware indicates that multiple threat actors utilize the same service.
  • Presence of Test Files: Consistent observation of “test” files suggests clients are validating the service before deploying actual payloads.
  • Consistency in Autonomous Systems (AS): The repeated use of specific AS providers over several months points to a centralized service offering.

The infrastructure supporting the Emmenhtal loader represents a sophisticated operation likely offered as a service to various cybercriminals.

Its ability to deliver multiple malware payloads while maintaining stealth underscores the evolving threat landscape in cybersecurity.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...