Experts have discovered a low-volume, but very clever, cybercrime campaign that abuses the Windows search function to trick victims into downloading malware.
The campaign was discovered by cybersecurity researchers at Trustwave SpiderLabs, who described it as “smart” and low-volume.
“This technique cleverly conceals the attacker's true intent, exploiting the trust users place in familiar interfaces and common actions such as opening email attachments,” the researchers said in their paper.
Be careful with your inbox
The attack begins with a phishing email posing as an invoice or something similar. It carries a .ZIP archive of an HTML file and thus successfully bypasses antivirus and email security programs that ignore compressed content.
The HTML file opens the browser and forces it to interact directly with the Windows Explorer search function. In turn, Windows Explorer is tasked with searching for items labeled “INVOICE” in a specific directory: a server connected through Cloudflare. Additionally, the search is renamed to “Downloads,” which ultimately tricks victims into believing that they were actually viewing the file they “downloaded” and not the .ZIP file.
Among the files that are then presented to victims is a shortcut document (.LNK) that points to a batch script (.BAT) hosted on the same server. This script, if activated, triggers additional malicious operations.
Unfortunately, when they began analyzing the campaign, the server was down, preventing researchers from obtaining the payload. Therefore, it is impossible to know what type of malware the attackers were distributing.
To mitigate the threat, users can disable the search-ms/search URI protocol handlers by deleting the associated registry entries.
Alternatively, they should be wary of incoming emails containing attachments: “As users continue to navigate an increasingly complex threat landscape, continued education and proactive security strategies remain paramount to protect against such tactics. misleading,” the researchers concluded.
