Sophisticated Phishing Campaign Exploits Windows Search Protocol to Deliver Malware

A new, highly sophisticated phishing campaign has been detected by Trustwave that leverages HTML attachments to exploit the Windows search protocol, delivering malware through batch files hosted on remote servers. This article summarizes the mechanisms of the attack, mitigation measures, and insights into preventing such threats.

Phishing Campaign Overview

Researchers at Trustwave cybersecurity firm have identified a phishing campaign that uses HTML attachments disguised as routine documents like invoices. These attachments exploit the Windows search protocol (search-ms URI) to push malicious batch files from remote servers, bypassing traditional security measures. Here’s an in-depth look at how this attack unfolds.

Attack Mechanism

1. Email Delivery

The attack begins with a phishing email containing an HTML attachment, disguised as an invoice and compressed within a ZIP archive. This obfuscation technique serves multiple purposes:

  • Evasion of Security Scanners: Compressing the HTML file within a ZIP archive helps evade email security scanners that may not parse the contents of compressed files.
  • File Size Reduction: The ZIP archive reduces the file size, ensuring faster transmission and lowering suspicion.
  • Added Layer of Deception: The additional step of decompressing the file can undermine simpler security measures and deceive users into believing the attachment is legitimate.

2. HTML Attachment Exploitation

Once the user opens the HTML file, it utilizes the <meta http-equiv="refresh"> tag to automatically redirect the browser to a malicious URL. Key elements include:

  • Automatic Redirection: The HTML file instructs the browser to reload and redirect to a new URL instantly, giving users no time to react or notice suspicious activity.
  • Fallback Mechanism: An anchor tag serves as a clickable link if the automatic redirection fails due to browser settings, enticing the user to manually initiate the malicious action.

3. Exploitation of Windows Search Protocol

The malicious URL employs the Windows search protocol to perform a search on a remote host with the following parameters:

  • Query: Directs the search to look for items labeled “INVOICE.”
  • Crumb: Specifies the search scope pointing to a malicious server tunneled via Cloudflare.
  • Displayname: Renames the search display to “Downloads” to mimic a legitimate interface and deceive the user.
  • Location: Uses Cloudflare’s tunneling service to mask the server, presenting remote resources as local files, enhancing the deception.

4. Execution of Malicious Files

The search results display a shortcut (LNK) file named as an invoice. If the victim clicks on this file, it triggers a batch script (BAT) hosted on the same server. Although the exact actions of the BAT could not be determined as the server was down during analysis, the potential for risky operations remains high.

Indicators of Compromise (IOCs)

  • HTML File: INVOICE#TBAVSA0JBSNA.html
    • MD5: f77a4a27f749703165e2021fecd73db9
    • SHA1: cbc3a8e762e0f2eda9e8a9bde348d04d1d7ce17e
    • SHA256: d136dcfc355885c502ff2c3be229791538541b748b6c07df3ced95f9a7eb2f30
  • Remote URL: tender-coding-bi-associate[.]trycloudflare[.]com@SSL\DavWWWRoot\google\INVOICE

Mitigation Measures

To defend against this threat, it is recommended to delete registry entries associated with the search-ms/search URI protocol:

reg delete HKEY_CLASSES_ROOT\search /f
reg delete HKEY_CLASSES_ROOT\search-ms /f

However, this action should be taken with caution as it may affect legitimate applications relying on this protocol.

Conclusion

This phishing campaign underscores the attackers’ sophisticated understanding of system vulnerabilities and user behaviors. By exploiting the Windows search protocol and leveraging HTML attachments, attackers can bypass traditional cybersecurity measures and deceive users into executing malicious operations.