Windows Search Protocol Abused To Push Malicious Scripts

According to security researchers based at Trustwave, a sophisticated malware campaign has been detected. The attack campaign abuses the Windows search functionality embedded in HTML code to deploy malware.

Researchers found that the threat actors utilize a sophisticated understanding of system vulnerabilities and user behaviors to push malware onto unsuspecting victims who receive phishing emails as the first port of call.

Windows Search Protocol Abused To Push Malicious Scripts

Trustwave has published an article detailing how threat actors abuse the search protocol. In summary, the Windows Search Protocol is a Uniform Resource Identifier (URI) that enables applications to open Windows Explorer and perform searches using specific parameters.

Importantly, while most Windows searches will look at the local device's index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window, features both exploited by threat actors in this instance.

As noted by Trustwave researchers, the attack begins with a phishing email containing an HTML attachment disguised as a routine document, like an invoice. The threat actor encloses the HTML file within a ZIP archive to enhance deception and evade email security scanners.

This added layer of obfuscation in cunning for several reasons, including:

  • Shrinks the file size for faster transmission
  • Sidesteps scanners that may overlook compressed contents
  • It adds an extra step for users, which can undermine simpler security measures.

It would also appear that the threat actors are targeting specific victims, as researchers have not been able to find many email examples, or at least as many as other phishing campaigns have relied upon in the past. While deceptively simple, the HTML code in the malicious email launches a sophisticated attack.

Researchers noted,

A key element in this HTML code, as illustrated in the above figure labeled 1, is the < meta http-equiv="refresh" tag and attribute. This attribute instructs the browser to automatically reload the page and redirect to a new URL, with a delay specified by the content attribute. In this scenario, the delay is set to zero, meaning the redirection occurs instantly as the page loads, giving the user no time to react or notice anything suspicious…In addition to the automatic redirection, the HTML includes an anchor tag labeled 2, which serves as a fallback mechanism. If for some reason the meta refresh does not execute, possibly due to browser settings that block such redirects, the presence of the clickable link still poses a risk, enticing the user to manually initiate the search exploit.

Search Protocol Exploitation

When not abused by threat actors, HTML search requests prompt users to allow the search action. This security layer prevents unauthorized commands from executing potentially harmful operations without the user's consent.

However, the threat actor uses the inbuilt "search:" protocol coded into the HTML file. This allows the threat actor to interact directly with Windows Explorer's search function and modify the prompt not to appear suspicious or malicious.

In the attacks discovered by researchers, the threat actor exploits this protocol to open Windows Explorer and perform a search automatically. The attacker crafts the search to include some sneaky parameters, including the following parameters:

  • query: Directs the search for items labeled "INVOICE."
  • crumb: Controls the scope of the search, directing it to a specific directory, which in this threat is a malicious server tunneled via Cloudflare.
  • displayname: This trick helps deceive the user by renaming the search display to "Downloads," mimicking typical user interface names, making the malicious action appear legitimate.
  • location: Attackers abused Cloudflare's tunneling service to hide their servers and mask their malicious operations. The integration of WebDAV allows for presenting remote resources as local. This makes the deception more convincing and harder for users to discern the malicious intent, as the files presented mimic legitimate documents.

The attack moves to its next phase after the user permits the search action. The search function retrieves invoice-named files from a remote server. Only one item appears in the search results, particularly a shortcut (LNK) file.

This LNK file points to a batch script (BAT) hosted on the same server. If the user clicks the link, additional malicious operations are initiated. During the analysis, the payload (BAT) could not be retrieved as the server appeared to be down. However, the threat posed by the attack rests on the threat actor's knowledge of system vulnerabilities and user behaviors.

Researchers concluded,

The HTML document serves as a crucial component in this attack, facilitating the execution of a script that exploits the Windows search functionality. While this attack does not utilize automated installation of malware, it does require users to engage with various prompts and clicks. However, this technique cleverly obscures the attacker’s true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments. As users continue to navigate an increasingly complex threat landscape, ongoing education, and proactive security strategies remain paramount in safeguarding against such deceptive tactics.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal