Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Explorer. Show all posts

Phishing Attack Abuses Windows Search Protocol to Deploy Malware

 



A recently developed phishing campaign has emerged, leveraging the Windows Search protocol to deliver malicious scripts to unsuspecting users. This sophisticated attack uses HTML attachments to exploit the search-ms URI, pushing harmful batch files hosted on remote servers.

The Windows Search protocol is a Uniform Resource Identifier (URI) that allows applications to open Windows Explorer and perform searches with specific parameters. Typically, these searches are conducted on the local device’s index. However, attackers have discovered that it’s possible to manipulate Windows Search to query file shares on remote hosts, presenting these remote files as if they were local.

The recent phishing attacks, as detailed in a report by Trustwave SpiderLabs, start with a seemingly innocuous email. The email contains an HTML attachment disguised as an invoice document within a ZIP archive. This ZIP file format helps evade many security and antivirus scanners that might not inspect the contents thoroughly.

Upon opening the HTML file, it uses a `<meta http-equiv="refresh">` tag to automatically redirect the browser to a malicious URL. A clickable anchor tag provides a fallback mechanism if the automatic redirect fails due to browser settings or other reasons. This URL exploits the Windows Search protocol to perform a search on a remote host.

The search parameters in this phishing attack are ingeniously crafted to mislead users. The query searches for items labeled "INVOICE," while the crumb parameter sets the search scope, directing it to a malicious server through Cloudflare. The display name is altered to "Downloads," giving the appearance of a legitimate interface. Additionally, Cloudflare's tunnelling service masks the server, making the remote resources appear as though they are local files.

The search results display a single shortcut (LNK) file named as an invoice. When the victim clicks on this file, it triggers a batch script (BAT) hosted on the same remote server.

The exact operations of the batch script remain unknown, as Trustwave researchers could not analyse it due to the server being offline at the time of their investigation. However, the potential for harmful activities, such as data theft or system compromise, is significant.

To defend against this threat, Trustwave suggests removing registry entries associated with the search-ms/search URI protocol. This can be done by executing specific commands in the registry editor. However, this action should be taken cautiously as it may disrupt legitimate applications and Windows features that rely on this protocol.

This new phishing method highlights the twisted tactics of cybercriminals and the importance of staying vigilant. Users and organisations must be aware of such threats and implement robust security measures to protect against these sophisticated attacks. Regular updates to security protocols and awareness training can help mitigate the risks posed by these kinds of phishing campaigns.