Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a sophisticated understanding of system vulnerabilities and user behaviors. Let’s break down the HTML and the Windows search code to better understand their roles in the attack chain.

Phishing Email

The campaign starts with a suspicious email containing an HTML attachment disguised as a routine document, like an invoice. The threat actor encloses the HTML file within a ZIP archive to enhance deception and evade email security scanners.

This extra layer of obfuscation serves multiple purposes:

• Shrinks the file size for faster transmission
• Sidesteps scanners that may overlook compressed contents
• And adds an extra step for users which can undermine simpler security measures.

Notably, this is a low-volume campaign, we have only seen a few examples.

Figure 1. MailMarshal extracts the HTML file from the ZIP archive.

HTML attachment

The HTML attachment in this campaign, while seemingly simple, is crafted to launch a sophisticated attack. Once opened, this HTML file abuses standard web protocols to exploit Windows system functionalities.

Figure 2. Code snippet of the HTML attachment.

A key element in this HTML code, as illustrated in the above figure labeled 1, is the <meta http-equiv="refresh" tag and attribute. This attribute instructs the browser to automatically reload the page and redirect to a new URL, with a delay specified by the content attribute. In this scenario, the delay is set to zero, meaning the redirection occurs instantly as the page loads, giving the user no time to react or notice anything suspicious.

In addition to the automatic redirection, the HTML includes an anchor tag labeled 2, which serves as a fallback mechanism. If for some reason the meta refresh does not execute, possibly due to browser settings that block such redirects, the presence of the clickable link still poses a risk, enticing the user to manually initiate the search exploit.

Exploitation of the Search Protocol

Figure 3. Browsing prompt triggered upon execution of the search command.

When the HTML loads, browsers typically prompt the user to allow the search action. This security measure prevents unauthorized commands from executing potentially harmful operations without the user’s consent.

The redirection URL utilizes the search: protocol, a powerful but potentially risky feature that allows applications to interact directly with Windows Explorer's search function.

Figure 4. Code snippet of the Windows search query

An attacker exploits this protocol to automatically open Windows Explorer and perform a search with parameters crafted by the threat actor:

• query: Directs the search to look for items labeled as "INVOICE."
• crumb: Controls the scope of the search, directing it to a specific directory, which in this threat is a malicious server tunneled via Cloudflare.
• displayname: Helps deceive the user by renaming the search display to "Downloads," mimicking typical user interface names, which makes the malicious action appear legitimate.
• location: Attackers abused Cloudflare’s tunneling service to hide their servers and mask their malicious operations. The integration of WebDAV allows for presenting remote resources as local. This makes the deception more convincing and harder for users to discern the malicious intent, as the files presented mimic legitimate documents.

The attack moves to its next phase after the user permits the search action. The search function retrieves invoice-named files from a remote server. Only one item, particularly a shortcut (LNK) file, appears in the search results. This LNK file points to a batch script (BAT) hosted on the same server, which, upon user click, could potentially trigger additional malicious operations.

Figure 5. Search window displaying results after invoking the search query.

At the time of our analysis, the payload (BAT) could not be retrieved as the server appeared to be down. Nonetheless, the attack shows a sophisticated understanding of system vulnerabilities and user behaviors.

Mitigation

One option to prevent the exploitation of the search-ms/search URI protocol is to disable these handlers by deleting associated registry entries. This can be achieved with the following commands:

reg delete HKEY_CLASSES_ROOT\search /f
reg delete HKEY_CLASSES_ROOT\search-ms /f

We have deployed updates for MailMarshal customers that identify characteristics of the HTML file that abuses the search URI handler.

Conclusion

The HTML document serves as a crucial component in this attack, facilitating the execution of a script that exploits the Windows search functionality. While this attack does not utilize automated installation of malware, it does require users to engage with various prompts and clicks. However, this technique cleverly obscures the attacker’s true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments. As users continue to navigate an increasingly complex threat landscape, ongoing education, and proactive security strategies remain paramount in safeguarding against such deceptive tactics.

Indicators of Compromise

INVOICE#TBAVSA0JBSNA.html

md5 f77a4a27f749703165e2021fecd73db9
sha1 cbc3a8e762e0f2eda9e8a9bde348d04d1d7ce17e
sha256 d136dcfc355885c502ff2c3be229791538541b748b6c07df3ced95f9a7eb2f30
 
Remote URL tender-coding-bi-associate[.]trycloudflare[.]com@SSL\DavWWWRoot\google\INVOICE