Windows

A new phishing campaign uses HTML attachments that abuse the Windows search protocol (search-ms URI) to push batch files hosted on remote servers that deliver malware.

The Windows Search protocol is a Uniform Resource Identifier (URI) that enables applications to open Windows Explorer to perform searches using specific parameters.

While most Windows searches will look at the local device's index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.

Attackers can exploit this functionality to share malicious files on remote servers, as Prof. Dr. Martin Johns first highlighted in a 2020 thesis.

In June 2022, security researchers devised a potent attack chain that also exploited a Microsoft Office flaw to launch searches directly from Word documents.

Trustwave SpiderLabs researchers now report that this technique is used in the wild by threat actors who are using HTML attachments to launch Windows searches on attackers' servers.

Abusing Windows Search

The recent attacks described in the Trustwave report start with a malicious email carrying an HTML attachment disguised as an invoice document placed within a small ZIP archive. The ZIP helps evade security/AV scanners that may not parse archives for malicious content.

Email attachment
Email attachment
Source: Trustwave

The HTML file uses the <meta http-equiv= "refresh"> tag to cause the browser to automatically open a malicious URL when the HTML document is opened.

HTML file content
HTML file content
Source: Trustwave

If the meta refresh fails due to browser settings blocking redirects or other reasons, an anchor tag provides a clickable link to the malicious URL, acting as a fallback mechanism. This, however, requires user action.

The search prompt and the "failsafe" link
The search prompt and the "failsafe" link
Source: Trustwave

In this case, the URL is for the Windows Search protocol to perform a search on a remote host using the following parameters:

  • Query: Searches for items labeled "INVOICE."
  • Crumb: Specifies the search scope, pointing to a malicious server via Cloudflare.
  • Displayname: Renames the search display to "Downloads" to mimic a legitimate interface.
  • Location: Uses Cloudflare's tunneling service to mask the server, making it look legitimate by presenting remote resources as local files.

Next, the search retrieves the list of files from the remote server, displaying a single shortcut (LNK) file named as an invoice. If the victim clicks on the file, a batch script (BAT) hosted on the same server is triggered.

Search result
Search result
Source: Trustwave

Trustwave couldn't establish what the BAT does, as the server was down at the time of their analysis, but the potential for risky operations is high.

To defend against this threat, Trustwave recommends deleting registry entries associated with the search-ms/search URI protocol by executing the following commands:

reg delete HKEY_CLASSES_ROOT\search /f
reg delete HKEY_CLASSES_ROOT\search-ms /f

However, this should be done carefully, as it would also prevent legitimate applications and integrated Windows features that rely on this protocol, from working as intended.

Related Articles:

New attack uses MSC files and Windows XSS flaw to breach networks

Microsoft Photos update brings requested features to Windows 11

CISA warns of Windows bug exploited in ransomware attacks

Microsoft removes Copilot app ‘incorrectly’ added on Windows PCs

Microsoft deprecates Windows DirectAccess, recommends Always On VPN