A new phishing campaign is exploiting the Windows search protocol (search-ms URI) to deliver malware via HTML attachments. These attachments push batch files hosted on remote servers, making use of Windows Search’s ability to query file shares on remote hosts and use custom titles for search windows. This tactic allows attackers to share malicious files on remote servers, a method initially highlighted in a 2020 thesis by Prof. Dr. Martin Johns.
In June 2022, security researchers devised an attack chain that exploited a Microsoft Office flaw to initiate searches directly from Word documents. Now, Trustwave SpiderLabs reports that threat actors are actively using this technique in the wild. The attack begins with a malicious email containing an HTML attachment disguised as an invoice document within a small ZIP archive, designed to evade security and antivirus scanners.
The HTML file employs a <meta http-equiv=”refresh”> tag to automatically open a malicious URL when viewed. If this redirect fails, a clickable anchor tag serves as a fallback mechanism. The URL triggers the Windows Search protocol to perform a search on a remote host, using parameters like “Query,” “Crumb,” “Displayname,” and “Location” to disguise the operation and appear legitimate. The search results display a shortcut (LNK) file named as an invoice, which, when clicked, activates a batch script (BAT) from the remote server.
Trustwave was unable to determine the exact actions of the BAT file as the server was down during their analysis, but the potential for harmful operations is significant. To mitigate this threat, Trustwave recommends deleting registry entries associated with the search-ms/search URI protocol. However, this action should be taken with caution as it can disrupt legitimate applications and integrated Windows features that rely on this protocol
Reference:
