Experts have discovered a small-scale but very clever cybercrime campaign that abuses Windows search functionality to trick victims into downloading malware.
The campaign was discovered by cybersecurity researchers at Trustwave SpiderLabs, who described the campaign as both “smart” and low in volume.
“This technique cleverly conceals the attacker’s true intentions by leveraging users’ trust in familiar interfaces and common actions such as opening email attachments,” the researchers said in their report. write down.
Be wary of your inbox
The attack starts with a phishing email pretending to be an invoice or something similar. It contains a .ZIP archive of an HTML file, successfully bypassing antivirus and email security programs that miss compressed content.
The HTML file opens the browser and forces it to interact directly with Windows Explorer’s search function. In turn, Windows Explorer is tasked with looking for items labeled “INVOICE”, in a specific folder – a server tunneled through Cloudflare. Additionally, the search is renamed to ‘Downloads’, which ultimately makes victims think that they were actually looking at the file they ‘downloaded’, and not the .ZIP archive.
Among the files then presented to victims is a shortcut document (.LNK) that points to a batch script (.BAT) hosted on the same server. This script, if activated, will trigger additional malicious operations.
Unfortunately, by the time they started analyzing the campaign, the server was shut down, preventing the researchers from obtaining the payload. Therefore, it is impossible to know what type of malware the attackers distributed.
To mitigate the threat, users can disable search-ms/search URI protocol handlers by deleting associated registry entries.
Alternatively, they should be wary of incoming emails with attachments: “As users continue to navigate an increasingly complex threat landscape, continuing education and proactive security strategies remain critical in protecting against such deceptive tactics,” the researchers concluded.