Experts have discovered a low-volume, but very clever, cybercrime campaign abusing the Windows search functionality to trick victims into downloading malware.
The campaign was discovered by cybersecurity researchers from Trustwave SpiderLabs, who described it as both “clever” and being low in volume.
“This technique cleverly obscures the attacker’s true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments,” the researchers said in their write-up.
Be wary of your inbox
The attack starts with a phishing email pretending to be an invoice, or something similar. It carries a .ZIP archive of an HTML file, and thus successfully bypasses antivirus and email security programs that overlook compressed contents.
The HTML file opens up the browser and forces it to directly interact with Windows Explorer’s search function. In turn, Windows Explorer is tasked with searching for items labeled as “INVOICE”, in a specific directory – a server tunneled via Cloudflare. Furthermore, the search is renamed to “Downloads”, ultimately tricking victims into thinking they were actually looking at the file they “downloaded”, and not the .ZIP archive.
Among the files then presented to the victims is a shortcut document (.LNK) that points to a batch script (.BAT) hosted on the same server. This script, if activated, triggers additional malicious operations.
Unfortunately, by the time they started analyzing the campaign, the server was shut down, preventing the researchers from obtaining the payload. Therefore, it is impossible to know what kind of malware the attackers were distributing.
To mitigate the threat, users could disable search-ms/search URI protocol handlers by deleting associated registry entries.
Alternatively, they should be wary of incoming emails carrying attachments: “As users continue to navigate an increasingly complex threat landscape, ongoing education, and proactive security strategies remain paramount in safeguarding against such deceptive tactics,” the researchers concluded.