A new and intricate alware campaign has been discovered by Trustwave SpiderLabs, leveraging the Windows search feature embedded in HTML code to spread malicious software. The attack begins with a phishing email containing an HTML attachment disguised as a routine document, such as an invoice. To deceive users and evade email security scanners, the HTML file is compressed within a ZIP archive. This extra layer of obfuscation reduces the file size for quicker transmission, avoids detection by some email scanners, and adds a step for users, potentially bypassing simpler security measures. Notably, this campaign has been observed in limited instances.
HTML Attachment Mechanics
Once the HTML attachment is opened, it triggers a complex attack by abusing standard web protocols to exploit Windows system functionalities. A critical component of the HTML code is the `<meta http-equiv="refresh"` tag, which automatically reloads the page and redirects to a new URL with zero delay, making the redirection instant and unnoticed by the user. Additionally, an anchor tag serves as a fallback mechanism, ensuring the user is still at risk even if the automatic redirect fails.
Exploitation of the Search Protocol
When the HTML file loads, browsers typically prompt users to allow the search action as a security measure. The redirection URL uses the `search:` protocol, allowing applications to interact directly with Windows Explorer's search function. The attackers exploit this protocol to open Windows Explorer and perform a search with parameters they crafted. These parameters direct the search to look for items labelled as "INVOICE," control the search scope to a specific directory, rename the search display to "Downloads" to appear legitimate, and hide their malicious operations using Cloudflare’s tunnelling service.
Execution of Malicious Files
After the user permits the search action, Windows Explorer retrieves files named "invoice" from a remote server. Only one item, a shortcut (LNK) file, appears in the search results. This LNK file points to a batch script (BAT) hosted on the same server. If the user clicks the file, it could trigger additional malicious operations. At the time of analysis, the payload (BAT) could not be retrieved as the server was down, but the attack demonstrates a sophisticated understanding of exploiting system vulnerabilities and user behaviour.
To prevent exploitation of the `search-ms` and `search` URI protocols, one mitigation strategy is to disable these handlers by deleting the associated registry entries. This can be achieved using specific commands.
This attack surfaces the importance of user awareness and proactive security strategies. While it does not involve automated malware installation, it requires users to engage with various prompts and clicks, cleverly obscuring the attackers' true intent. As the threat landscape becomes more complex, continuous education and robust security measures are vital to protect against such deceptive tactics.
Trustwave SpiderLabs has updated its MailMarshal software to detect and block HTML files that abuse the search URI handler, offering additional protection for users.