Hackers Abuse Windows Search Functionality To Deploy Malware

Hackers use Windows Search’s vulnerability to penetrate different layers and rooms in the client’s systems and execute unauthorized code by using bugs in the search functionality itself. 

This enables them to increase their privileges, disseminate viruses and malware, and steal confidential data by manipulating search queries or linking routines.

EHA

Cybersecurity researchers at Trustwave SpiderLabs recently identified hackers who have been actively using the Windows Search functionality to deploy malware.

This complex malware campaign uses the HTML Windows search to spread malware.

The attack is initiated through an email with a zipped archive that embeds a malicious HTML file, which looks like any other normal document used daily as its disguise strategy.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot.

It reduces file sizes for faster transmission, allows evasion from scanners that overlook zipped contents, and presents another layer to compromise basic security measures.

However, it’s small in scale, and the campaign reveals the extent to which threat actors have studied system vulnerabilities and user behavior.

MailMarshal extracts the HTML file from the ZIP archive (Source – Trustwave)

Clever code tricks use a malicious HTML attachment that exploits the Windows search functionality.

Trustwave said that the tag instantly redirects the browser to an exploit URL when opened, which helps prevent user intervention.

Alternatively, it contains a clickable link that could entice users to initiate the attack manually if the automatic redirection fails.

This is just one more approach by which these threat actors have shown their deep knowledge about how browsers work and what they can do with users by making them trust their malware payload.

Crafted search queries prompt Windows Explorer to execute such a search and abuse the search protocol by redirecting the browser using malicious HTML.

It checks for files that have “INVOICE” written on them but simultaneously focuses only on files within a remote malicious server tunneled through Cloudflare’s service.

The display name parameter gives the impression of legitimacy by renaming the search as “Downloads”.

By incorporating WebDAV, remote malicious files become visible as if they were local resources, making it difficult for users to identify malicious intent.

This group has, therefore, embarked on sophisticated exploitation of Windows search functionality and web protocols to facilitate their malware payload delivery with the maximum credibility possible.

Browsing prompt triggered upon execution of the search command (Source – Trustwave)

The Windows search URI protocol will be abused to attack and prevent by removing the associated registry entries through commands given.

Updates have been made by Trustwave to identify the malicious HTML attachment, which is meant to enable scripts that exploit the search functionality.

This social engineering attack does not use any automation but rather disguises malicious activities as everyday jobs, such as opening attachments, consequently taking advantage of users’ trust in typical interfaces.

Continuous user education and proactive security measures are essential as deceptive techniques change to counter this kind of threat in an ever-changing scenario.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.