TapTechNews, on June 13th, it was reported that the cybersecurity company Trustwave posted a blog on June 11th, stating that there are attackers abusing the Windows Search protocol (search-ms URI) by pushing batch files hosted on remote servers to achieve the purpose of spreading malicious software.
The Windows Search protocol is a Uniform Resource Identifier (URI), and applications can open Windows Explorer by invoking it and perform a search using specific parameters.
Although most Windows searches will look at the index of the local device, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.
TapTechNews quoted the Trustwave report, and there is already evidence that hackers have achieved the purpose of distributing malicious software by abusing the Windows Search protocol.
Trustwave noticed a malicious email that contained an HTML attachment disguised as an invoice document, which was placed in a small ZIP archive. ZIP helps to avoid security/AV scanners as these scanners may not be able to parse malicious content in archives.
The HTML file uses the <meta http-equiv=refresh> tag to make the browser automatically open the malicious URL when opening the HTML document.
If the meta-refresh fails due to browser settings blocking the redirect or other reasons, as a fallback mechanism, the anchor tag (anchor tag) provides a clickable link pointing to the malicious URL, but this requires user participation.
Attackers execute the search on the remote host through the following parameters:
Query: Search for items marked INVOICE.
Crumb: Specify the search area and point to the malicious server through Cloudflare.
Displayname: Rename the search display as Download, to imitate the legitimate interface.
Location: Use Cloudflare's tunnel service to mask the server and display the remote resource as a local file to make it look legitimate.
In order to prevent this kind of threat, Trustwave suggests executing the following commands to delete the registry entries related to the search-ms/searchURI protocol:
reg delete HKEY_CLASSES_ROOT\search /freg delete HKEY_CLASSES_ROOT\search-ms /f