Webdav Malicious File Hosting Powering Stealthy Malware Attacks

A new method of attack has emerged that leverages WebDAV technology to host malicious files. This approach, which facilitates the distribution of the Emmenhtal loader—also known as PeakLight—has been under scrutiny since December 2023.

The loader is notorious for its stealthy, memory-only execution and its role in distributing various infostealers worldwide.

This article delves into the use of WebDAV for malicious purposes, the range of malware distributed through this infrastructure, and the potential for this setup to be part of a broader “Infrastructure-as-a-Service” (IaaS) offering to cybercriminals.

The Role of WebDAV in Malicious File Hosting

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to manage files on web servers.

While it has legitimate applications in collaborative environments, cybercriminals have increasingly exploited it for malicious activities.

The Sekoia TDR team identified over 100 malicious WebDAV servers involved in distributing the Emmenhtal loader.

These servers host weaponized “.lnk” files designed to download further malicious payloads using “mshta.exe,” a legitimate Microsoft executable. 

This method provides a high degree of stealth, as using trusted system binaries like “mshta.exe” helps bypass security controls.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Separating the hosting server for initial “.lnk” files from the payload server complicates detection and attribution efforts.

Detailed Analysis of Malware Delivered via WebDAV

Sekoia’s investigation revealed a diverse array of malware distributed through this infrastructure, highlighting its versatility.

Notable malware families include SelfAU3, DarkGate, Amadey, Lumma, Remcos, MeduzaStealer, DANABOT, ACR Stealer, Asyncrat, Stealit, Cryptbot, XWORM, and DEERSTEALER.

Each was delivered through WebDAV-hosted “.lnk” files with URLs adjusted to minimize direct exposure.

Table: Malware Families and Their Corresponding URLs

Malware Family	URL
SelfAU3	91[.]92[.]251[.]35/Downloads/solaris-docs[.]lnk
DarkGate	206[.]188[.]196[.]28/Downloads/example[.]lnk
Amadey	147[.]45[.]79[.]82/Downloads/qqeng[.]pdf[.]lnk
Lumma	91[.]92[.]243[.]198:81/Downloads/test[.]lnk
Remcos	89[.]23[.]107[.]244/Downloads/Test[.]lnk
MeduzaStealer	94[.]156[.]64[.]74/Downloads/SecretTeachings[.]pdf[.]lnk
DANABOT	151[.]236[.]17[.]180/Wire%20Confirmation/WireConfirmation[.]pdf[.]lnk
ACR Stealer	62[.]133[.]61[.]104/Downloads/test[.]pdf[.]lnk
Asyncrat	62[.]133[.]61[.]101/Downloads/Invoice[.]pdf[.]lnk
Stealit	62[.]133[.]61[.]37/Downloads/config[.]txt[.]lnk
Cryptbot	89[.]23[.]103[.]56/Downloads/Videof/Full%20Video%20HD%20%281080p%29[.]lnk
XWORM	62[.]133[.]61[.]73/Downloads/Photo[.]lnk
DEERSTEALER	92[.]118[.]112[.]253/Downloads/releaseform.pdf.lnk

The diversity of malware payloads suggests that this WebDAV infrastructure may be part of a more extensive cybercriminal operation offering IaaS to multiple threat actors.

Key observations supporting this hypothesis include:

• Diversity of Final Payloads: The wide range of malware indicates that multiple threat actors utilize the same service.
• Presence of Test Files: Consistent observation of “test” files suggests clients are validating the service before deploying actual payloads.
• Consistency in Autonomous Systems (AS): The repeated use of specific AS providers over several months points to a centralized service offering.

The infrastructure supporting the Emmenhtal loader represents a sophisticated operation likely offered as a service to various cybercriminals.

Its ability to deliver multiple malware payloads while maintaining stealth underscores the evolving threat landscape in cybersecurity.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial