Windows users, beware of this ‘Windows Search’ malware attack

Microsoft Windows

Hackers are abusing Windows Search functionality to deploy malware, according to a report by cybersecurity firm Trustwave SpiderLabs.

The malware attack starts with a Phishing email

First, hackers send a “suspicious email containing an HTML attachment disguised as a routine document, like an invoice.” An HTML file is hidden within a ZIP archive so that it can bypass email security scanners.

What the hidden HTML file does

As per Trustwave SpiderLabs researchers, once the victim opens the HTML attachment, the <meta http-equiv="refresh" tag and attribute in the HTML code “instructs the browser to automatically reload the page and redirect to a new URL”.

Also, if the browser does not immediately reload the page, hackers have put a fallback mechanism as a clickable link. When the user clicks on the link, they trigger the Windows Search exploit.

“The redirection URL utilises the search: protocol, a powerful but potentially risky feature that allows applications to interact directly with Windows Explorer's search function,”, says the report by Trustwave SpiderLabs.

Exploiting the search protocol by using specific parameters

Hackers then exploit the search protocol to automatically open Windows Explorer and perform a search with parameters chosen by them.

The parameters are “query”, “crumb”, “displayname” and “location”. Here’s what they each of them does:

query: Directs the Windows Search to look for items labeled as "INVOICE."

crumb:  Directs the Windows search to a malicious server tunneled via Cloudflare.

displayname: renames the search display to "Downloads," to trick the user into believing that the malicious action is a legitimate one.

Location: With their server location hidden, hackers now present malicious files to the victim that mimic legitimate documents.

The Windows search function now retrieves invoice-named files from a remote server.

Among such files is a shortcut document (.LNK) that leads to a batch script (.BAT) hosted on the same remote server. If the victim clicks on this batch script, it triggers more malicious operations.

How to prevent Windows Search exploit?

As per Trustwave SpiderLabs, one way to prevent exploitation of the search-ms/search URI protocol is “to disable these handlers by deleting associated registry entries.”

Use the following commands:

reg delete HKEY_CLASSES_ROOT\search /f

reg delete HKEY_CLASSES_ROOT\search-ms /f”

Trustwave SpiderLabs notes that the Windows Search exploit by hackers is a low-volume malware campaign, for now.