A recent malware campaign exploits a vulnerability in the way Windows handles HTML code, where attackers embed code utilizing the “search:” URI protocol handler.
The code, when executed by the system, fetches a shortcut file (.LNK) from a remote server and displays it within Windows Explorer, disguising it as a legitimate search result.
Phishing attackers are using a ZIP archive containing an HTML attachment to bypass email security scanners, which, disguised as a document like an invoice, shrinks file size for faster transmission and avoids detection by scanners that don’t inspect compressed content.
This extra layer tricks users into opening the attachment, potentially compromising their security. While the campaign is currently low-volume, it demonstrates a new technique for phishing attempts.
A malicious HTML attachment designed to exploit Windows systems is being used in email campaigns, which utilizes a meta refresh tag to instantly redirect the user’s browser to a malicious URL upon opening the attachment.
If the automatic redirection fails, an anchor tag within the code provides a clickable link that can be used to launch the attack as well, which bypasses potential user awareness and increases the success rate of the exploit.
Attackers exploit a feature in Windows called the search protocol (search:) to trigger a search directly within Windows Explorer, which allows applications to initiate search queries, but malicious actors can abuse it to bypass user confirmation.
When a user executes a seemingly harmless search command, a browsing prompt appears—a security measure to prevent unauthorized actions—but in the background, the application utilizes the search protocol to execute a hidden search query, potentially leading to harmful actions without the user’s knowledge or consent.
An attacker leverages a vulnerability to manipulate a Windows Explorer search, where the attacker crafted a search query targeting files named “INVOICE” within a malicious directory disguised as a user’s “Downloads” folder through a compromised server hidden by Cloudflare’s tunneling service.
WebDAV integration presents remote files as local for a more convincing attack, and if a user allows the search, a single shortcut file pointing to a malicious batch script on the remote server is displayed in the results.
According to Trustwave SpiderLabs, the specific payload couldn’t be retrieved, while the exploit demonstrates a tactic of abusing user trust and system vulnerabilities.
Attackers are exploiting the search-ms/search URI protocol to launch attacks, which can be abused through HTML documents to execute malicious scripts. While user interaction is required, attackers can trick users into clicking by disguising malicious files as trusted ones.
To mitigate this attack, users can delete the associated registry entries with commands: reg delete HKEY_CLASSES_ROOT\search /f and reg delete HKEY_CLASSES_ROOT\search-ms /f.
Also Read: