Cyber Security News

Webdav Malicious File Hosting Powering Stealthy Malware Attacks

A new method of attack has emerged that leverages WebDAV technology to host malicious files. This approach, which facilitates the distribution of the Emmenhtal loader—also known as PeakLight—has been under scrutiny since December 2023.

The loader is notorious for its stealthy, memory-only execution and its role in distributing various infostealers worldwide.

This article delves into the use of WebDAV for malicious purposes, the range of malware distributed through this infrastructure, and the potential for this setup to be part of a broader “Infrastructure-as-a-Service” (IaaS) offering to cybercriminals.

The Role of WebDAV in Malicious File Hosting

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to manage files on web servers.

While it has legitimate applications in collaborative environments, cybercriminals have increasingly exploited it for malicious activities.

The Sekoia TDR team identified over 100 malicious WebDAV servers involved in distributing the Emmenhtal loader.

These servers host weaponized “.lnk” files designed to download further malicious payloads using “mshta.exe,” a legitimate Microsoft executable. 

This method provides a high degree of stealth, as using trusted system binaries like “mshta.exe” helps bypass security controls.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Separating the hosting server for initial “.lnk” files from the payload server complicates detection and attribution efforts.

Detailed Analysis of Malware Delivered via WebDAV

Sekoia’s investigation revealed a diverse array of malware distributed through this infrastructure, highlighting its versatility.

Notable malware families include SelfAU3, DarkGate, Amadey, Lumma, Remcos, MeduzaStealer, DANABOT, ACR Stealer, Asyncrat, Stealit, Cryptbot, XWORM, and DEERSTEALER.

Each was delivered through WebDAV-hosted “.lnk” files with URLs adjusted to minimize direct exposure.

Table: Malware Families and Their Corresponding URLs

Malware FamilyURL
SelfAU391[.]92[.]251[.]35/Downloads/solaris-docs[.]lnk
DarkGate206[.]188[.]196[.]28/Downloads/example[.]lnk
Amadey147[.]45[.]79[.]82/Downloads/qqeng[.]pdf[.]lnk
Lumma91[.]92[.]243[.]198:81/Downloads/test[.]lnk
Remcos89[.]23[.]107[.]244/Downloads/Test[.]lnk
MeduzaStealer94[.]156[.]64[.]74/Downloads/SecretTeachings[.]pdf[.]lnk
DANABOT151[.]236[.]17[.]180/Wire%20Confirmation/WireConfirmation[.]pdf[.]lnk
ACR Stealer62[.]133[.]61[.]104/Downloads/test[.]pdf[.]lnk
Asyncrat62[.]133[.]61[.]101/Downloads/Invoice[.]pdf[.]lnk
Stealit62[.]133[.]61[.]37/Downloads/config[.]txt[.]lnk
Cryptbot89[.]23[.]103[.]56/Downloads/Videof/Full%20Video%20HD%20%281080p%29[.]lnk
XWORM62[.]133[.]61[.]73/Downloads/Photo[.]lnk
DEERSTEALER92[.]118[.]112[.]253/Downloads/releaseform.pdf.lnk

The diversity of malware payloads suggests that this WebDAV infrastructure may be part of a more extensive cybercriminal operation offering IaaS to multiple threat actors.

Key observations supporting this hypothesis include:

  • Diversity of Final Payloads: The wide range of malware indicates that multiple threat actors utilize the same service.
  • Presence of Test Files: Consistent observation of “test” files suggests clients are validating the service before deploying actual payloads.
  • Consistency in Autonomous Systems (AS): The repeated use of specific AS providers over several months points to a centralized service offering.

The infrastructure supporting the Emmenhtal loader represents a sophisticated operation likely offered as a service to various cybercriminals.

Its ability to deliver multiple malware payloads while maintaining stealth underscores the evolving threat landscape in cybersecurity.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

22 hours ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

2 days ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

2 days ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

2 days ago