This report was originally published for our customers on 30 August 2024.
Since December 2023, Sekoia TDR team monitored a specific infrastructure involved in the distribution of the Emmenhtal loader. Emmenhtal is a stealthy malware loader known for its effectiveness in distributing various commodity infostealers worldwide. This loader has attracted attention from cybersecurity researchers, with detailed analyses provided by Orange Cyberdefense and Google Cloud’s Threat Intelligence team.
The Emmenhtal loader, also known as PeakLight, operates in a memory-only manner, making it difficult to detect and analyse. It is primarily used to distribute other malicious payloads, including well-known infostealers that target sensitive information.
This blogpost begins by examining the use of WebDAV technology in hosting malicious files related to the Emmenhtal loader, then analyses the various final payloads delivered through this infrastructure, and concludes by exploring the possibility that the infrastructure is being offered as-a-service to multiple threat actors.
In our investigation of the infrastructure distributing the Emmenhtal loader, TDR analysts identified the use of WebDAV (Web Distributed Authoring and Versioning) technology to host malicious files. WebDAV, an extension of the HTTP protocol, allows for the management of files on web servers, including uploading, editing, and deleting files remotely. Even though WebDAV has legitimate applications in collaborative environments, threat actors have increasingly leveraged this technology to facilitate malicious activities.
The Emmenhtal loader, first detailed by Orange Cyberdefense for its role in distributing commodity infostealers, was later analysed by Google Cloud’s Threat Intelligence team, which uncovered its sophisticated memory-only execution strategy under the name PeakLight. These analyses underscore the significant and evolving threat posed by Emmenhtal as it continues to deliver new infostealers.
In one of the infection chains described by Orange Cyberdefense and Google, the user is initially redirected to the WebDAV server through a drive-by compromise while visiting some websites. This process results in a preview of an explorer.exe window connected to the WebDAV server, where the malicious files are hosted. Since the end of 2023, Sekoia.io identified more than 100 malicious WebDAV servers from this infrastructure.
In the infrastructure Sekoia analysed, the malicious files were hosted within the “/Downloads” directory on a WebDAV server, an open directory where all files are accessible. The files predominantly consisted of “.lnk” files, which were weaponised to download further malicious payloads using the “mshta.exe” binary, a legitimate Microsoft executable designed to execute Microsoft HTML Application (HTA) files.
The use of “mshta.exe” to download and execute malicious payloads is a known technique among cybercriminals. By utilising a trusted system binary like “mshta.exe”, threat actors can bypass certain security controls and achieve a higher degree of stealth in their operations. Once the “.lnk” file is executed, “mshta.exe” is invoked to retrieve the Emmenhtal loader, which is most often hosted on separate infrastructure, adding complexity to the attack chain.
This method of using WebDAV to host malicious “.lnk” files that trigger the download of Emmenhtal via “mshta.exe” represents an evasive tactic. The separation of the hosting server for the initial “.lnk” files and the payload server hinder detection and attribution efforts, making it a preferred strategy among advanced threat actors.
Our analysis uncovered a wider range of malware distributed via this infrastructure than previously reported. The malware families identified, such as SelfAU3, DarkGate, and Amadey, demonstrate the infrastructure’s versatility. Each payload was identified as being delivered through WebDAV-hosted “.lnk” files, with the malicious URLs adjusted to avoid direct exposure. Below is a table of the identified malware families and the corresponding URLs:
Malware family | URL |
---|---|
SelfAU3 | 91[.]92[.]251[.]35/Downloads/solaris-docs[.]lnk |
DarkGate | 206[.]188[.]196[.]28/Downloads/example[.]lnk |
Amadey | 147[.]45[.]79[.]82/Downloads/qqeng[.]pdf[.]lnk |
Lumma | 91[.]92[.]243[.]198:81/Downloads/test[.]lnk |
Remcos | 89[.]23[.]107[.]244/Downloads/Test[.]lnk |
MeduzaStealer | 94[.]156[.]64[.]74/Downloads/SecretTeachings[.]pdf[.]lnk |
DANABOT | 151[.]236[.]17[.]180/Wire%20Confirmation/WireConfirmation[.]pdf[.]lnk |
ACR Stealer | 62[.]133[.]61[.]104/Downloads/test[.]pdf[.]lnk |
Asyncrat | 62[.]133[.]61[.]101/Downloads/Invoice[.]pdf[.]lnk |
Stealit | 62[.]133[.]61[.]37/Downloads/config[.]txt[.]lnk |
Cryptbot | 89[.]23[.]103[.]56/Downloads/Videof/Full%20Video%20HD%20%281080p%29[.]lnk |
XWORM | 62[.]133[.]61[.]73/Downloads/Photo[.]lnk |
Bash File Dropping ZgRAT, DCRAT, PureLogs, XWORM | 147[.]45[.]50[.]214/Downloads/demo[.]pdf[.]lnk |
DEERSTEALER | 92[.]118[.]112[.]253/Downloads/releaseform[.]pdf[.]lnk |
Guloader | 89[.]23[.]107[.]67/Downloads/2023-Documents%20Shared[.]lnk |
Redline | 147[.]45[.]50[.]57/Downloads/INVOICE%20340138551[.]pdf[.]lnk |
The discovery of these additional malware families highlights the evolving nature of the threat landscape associated with the Emmenhtal loader.
Based on our analysis and the diversity of malware observed, it is plausible that the WebDAV infrastructure described above is part of a broader cybercriminal operation offering “Infrastructure-as-a-Service” (IaaS) to other threat actors. This hypothesis is supported by several key observations:
The repeated use of specific AS providers over several months suggests that the threat actor(s) behind this infrastructure have established a reliable hosting arrangement, potentially as part of a larger IaaS offering. This consistency in hosting environments might also be indicative of a deliberate choice to evade detection by rotating among a select group of trusted providers.
The findings presented in this report suggest that the infrastructure used to distribute the Emmenhtal loader is likely part of a commercial service offered by a cybercriminal group. The presence of multiple malware payloads, consistent testing activities, and the reuse of specific Autonomous Systems for hosting all point towards a sophisticated operation designed to cater to multiple clients. As this infrastructure continues to evolve, it poses a significant and ongoing threat, necessitating continued vigilance and targeted defensive measures by cybersecurity professionals.
Our clients can access detailed information on the observed activities, related threat indicators, and ongoing monitoring efforts directly through our platform. We remain committed to tracking this infrastructure over time and will provide continuous updates as new developments emerge.
104[.]131[.]7[.]207
141[.]98[.]234[.]166
147[.]45[.]178[.]54
147[.]45[.]50[.]142
147[.]45[.]50[.]144
147[.]45[.]50[.]172
147[.]45[.]50[.]214
147[.]45[.]50[.]23
147[.]45[.]50[.]26
147[.]45[.]50[.]34
147[.]45[.]50[.]57
147[.]45[.]50[.]86
147[.]45[.]79[.]82
151[.]236[.]17[.]180
168[.]100[.]9[.]199
178[.]209[.]51[.]222
185[.]143[.]223[.]188
185[.]196[.]8[.]158
191[.]243[.]196[.]114
193[.]124[.]33[.]71
193[.]233[.]75[.]13
194[.]190[.]152[.]108
194[.]87[.]252[.]22
200[.]150[.]194[.]109
206[.]188[.]196[.]28
212[.]18[.]104[.]111
45[.]151[.]62[.]238
46[.]29[.]234[.]129
62[.]133[.]61[.]101
62[.]133[.]61[.]104
62[.]133[.]61[.]106
62[.]133[.]61[.]148
62[.]133[.]61[.]155
62[.]133[.]61[.]168
62[.]133[.]61[.]189
62[.]133[.]61[.]207
62[.]133[.]61[.]240
62[.]133[.]61[.]26
62[.]133[.]61[.]37
62[.]133[.]61[.]43
62[.]133[.]61[.]49
62[.]133[.]61[.]56
62[.]133[.]61[.]69
62[.]133[.]61[.]73
62[.]133[.]61[.]79
62[.]133[.]61[.]90
62[.]133[.]61[.]97
62[.]133[.]61[.]98
78[.]153[.]139[.]202
79[.]137[.]203[.]158
82[.]115[.]223[.]234
84[.]247[.]187[.]231
89[.]110[.]78[.]58
89[.]23[.]103[.]118
89[.]23[.]103[.]123
89[.]23[.]103[.]15
89[.]23[.]103[.]188
89[.]23[.]103[.]205
89[.]23[.]103[.]253
89[.]23[.]103[.]56
89[.]23[.]103[.]57
89[.]23[.]103[.]8
89[.]23[.]103[.]97
89[.]23[.]107[.]113
89[.]23[.]107[.]123
89[.]23[.]107[.]168
89[.]23[.]107[.]181
89[.]23[.]107[.]240
89[.]23[.]107[.]244
89[.]23[.]107[.]251
89[.]23[.]107[.]67
89[.]23[.]113[.]140
91[.]202[.]233[.]136
91[.]92[.]240[.]234
91[.]92[.]240[.]247
91[.]92[.]240[.]29
91[.]92[.]243[.]198
91[.]92[.]243[.]74
91[.]92[.]245[.]185
91[.]92[.]245[.]222
91[.]92[.]246[.]102
91[.]92[.]248[.]129
91[.]92[.]248[.]50
91[.]92[.]248[.]77
91[.]92[.]248[.]90
91[.]92[.]250[.]123
91[.]92[.]250[.]150
91[.]92[.]250[.]44
91[.]92[.]251[.]35
91[.]92[.]253[.]126
91[.]92[.]254[.]167
91[.]92[.]254[.]225
92[.]118[.]112[.]223
92[.]118[.]112[.]253
94[.]131[.]112[.]206
94[.]156[.]64[.]74
94[.]156[.]64[.]76
94[.]156[.]65[.]126
94[.]156[.]65[.]130
94[.]156[.]69[.]111
94[.]156[.]69[.]6
94[.]156[.]8[.]31
95[.]164[.]68[.]24
95[.]216[.]196[.]85
Feel free to read other Sekoia.io TDR (Threat Detection & Research) analysis here :