Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a sophisticated understanding of system vulnerabilities and user behaviors. Let’s break down the HTML and the Windows search code to better understand their roles in the attack chain.

 

Phishing Email

The campaign starts with a suspicious email containing an HTML attachment disguised as a routine document, like an invoice. The threat actor encloses the HTML file within a ZIP archive to enhance deception and evade email security scanners.

This extra layer of obfuscation serves multiple purposes:

  • Shrinks the file size for faster transmission
  • Sidesteps scanners that may overlook compressed contents
  • And adds an extra step for users which can undermine simpler security measures.

Notably, this is a low-volume campaign, we have only seen a few examples.

Figure 1. MailMarshal extracts the HTML file from the ZIP archive.

Figure 1. MailMarshal extracts the HTML file from the ZIP archive.

 

HTML attachment

The HTML attachment in this campaign, while seemingly simple, is crafted to launch a sophisticated attack. Once opened, this HTML file abuses standard web protocols to exploit Windows system functionalities.

Figure 2. Code snippet of the HTML attachment.

Figure 2. Code snippet of the HTML attachment.

A key element in this HTML code, as illustrated in the above figure labeled 1, is the <meta http-equiv="refresh" tag and attribute. This attribute instructs the browser to automatically reload the page and redirect to a new URL, with a delay specified by the content attribute. In this scenario, the delay is set to zero, meaning the redirection occurs instantly as the page loads, giving the user no time to react or notice anything suspicious.

In addition to the automatic redirection, the HTML includes an anchor tag labeled 2, which serves as a fallback mechanism. If for some reason the meta refresh does not execute, possibly due to browser settings that block such redirects, the presence of the clickable link still poses a risk, enticing the user to manually initiate the search exploit.

 

Exploitation of the Search Protocol

Figure 3. Browsing prompt triggered upon execution of the search command.

Figure 3. Browsing prompt triggered upon execution of the search command.

 

When the HTML loads, browsers typically prompt the user to allow the search action. This security measure prevents unauthorized commands from executing potentially harmful operations without the user’s consent.

The redirection URL utilizes the search: protocol, a powerful but potentially risky feature that allows applications to interact directly with Windows Explorer's search function.

Figure 4. Code snippet of the Windows search query

Figure 4. Code snippet of the Windows search query

 

An attacker exploits this protocol to automatically open Windows Explorer and perform a search with parameters crafted by the threat actor:

  • query: Directs the search to look for items labeled as "INVOICE."
  • crumb: Controls the scope of the search, directing it to a specific directory, which in this threat is a malicious server tunneled via Cloudflare.
  • displayname: Helps deceive the user by renaming the search display to "Downloads," mimicking typical user interface names, which makes the malicious action appear legitimate.
  • location: Attackers abused Cloudflare’s tunneling service to hide their servers and mask their malicious operations. The integration of WebDAV allows for presenting remote resources as local. This makes the deception more convincing and harder for users to discern the malicious intent, as the files presented mimic legitimate documents.

The attack moves to its next phase after the user permits the search action. The search function retrieves invoice-named files from a remote server. Only one item, particularly a shortcut (LNK) file, appears in the search results. This LNK file points to a batch script (BAT) hosted on the same server, which, upon user click, could potentially trigger additional malicious operations.

 

Figure 5.  Search window displaying results after invoking the search query.

Figure 5. Search window displaying results after invoking the search query.

At the time of our analysis, the payload (BAT) could not be retrieved as the server appeared to be down. Nonetheless, the attack shows a sophisticated understanding of system vulnerabilities and user behaviors.



Mitigation

One option to prevent the exploitation of the search-ms/search URI protocol is to disable these handlers by deleting associated registry entries. This can be achieved with the following commands:

reg delete HKEY_CLASSES_ROOT\search /f
reg delete HKEY_CLASSES_ROOT\search-ms /f

We have deployed updates for MailMarshal customers that identify characteristics of the HTML file that abuses the search URI handler.

 

Conclusion

The HTML document serves as a crucial component in this attack, facilitating the execution of a script that exploits the Windows search functionality. While this attack does not utilize automated installation of malware, it does require users to engage with various prompts and clicks. However, this technique cleverly obscures the attacker’s true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments. As users continue to navigate an increasingly complex threat landscape, ongoing education, and proactive security strategies remain paramount in safeguarding against such deceptive tactics.

 

Indicators of Compromise

INVOICE#TBAVSA0JBSNA.html

md5 f77a4a27f749703165e2021fecd73db9
sha1 cbc3a8e762e0f2eda9e8a9bde348d04d1d7ce17e
sha256 d136dcfc355885c502ff2c3be229791538541b748b6c07df3ced95f9a7eb2f30
 
Remote URL tender-coding-bi-associate[.]trycloudflare[.]com@SSL\DavWWWRoot\google\INVOICE

Latest SpiderLabs Blogs

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More