Threat Research

Beyond File Search: A Novel Method

Securonix

Researchers detail a novel attack that exploits Windows “search-ms” and “search” URI protocols via JavaScript on compromised pages and HTML attachments to perform remote searches and load malicious payloads. The campaign uses phishing emails, deceptive shortcuts, and remote access trojans (AsyncRAT and Remcos RAT), with SSL encryption and multiple file types to evade defenses; see the Trellix analysis for full details. #searchMS #SearchProtocol #Remcos #AsyncRAT

Keypoints

  • Novel abuse of Windows search-ms and search protocols to perform remote searches via JavaScript hosted on attacker-controlled pages.
  • Phishing emails and HTML/PDF attachments contain links or scripts that redirect users to compromised websites hosting the attack.
  • Attack workflow uses Windows Explorer to display remote search results (via PROPFIND/GET on WebDAV) and hides malicious activity with SSL encryption.
  • Deceptive LNK shortcut files and icon/name masquerading aim to persuade users to open malicious payloads executed via regsvr32.
  • PowerShell-based variants bypass execution policy and download/run DLL/EXE/ZIP payloads, with Visual Basic/JS/Batch components observed.
  • Payloads include AsyncRAT and Remcos RAT, with techniques like null-byte injection to evade detection.

MITRE Techniques

  • [T1566.002] Spearphishing Link – ‘phishing emails containing hyperlinks or email attachments that redirect users to compromised websites.’
  • [T1059.001] PowerShell – ‘ -ExecutionPolicy Bypass’ to bypass the PowerShell execution policy
  • [T1059.007] JavaScript – ‘attackers are directing users to websites that exploit the “search-ms” functionality using JavaScript hosted on the page.’
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – ‘malicious DLL file referenced in the command line is executed using the regsvr32.exe utility.’
  • [T1023] Shortcut Modification – ‘manipulating icons and file names for shortcut files.’
  • [T1083] File and Directory Discovery – ‘PROPFIND method to retrieve metadata or properties … to find items related to the term “Review”.’
  • [T1059.005] Visual Basic – ‘Visual Basic’ among file types used (Batch, PowerShell, Visual Basic, PHP and Office Macro files).
  • [T1012] Query Registry – ‘Query Registry’.
  • [T1573] Encrypted Channel – ‘SSL (Secure Sockets Layer) encryption’ used to conceal activity.
  • [T1105] Ingress Tool Transfer – ‘downloads payloads (DLL/EXE/ZIP) from remote servers.’
  • [T1027] Deobfuscate/Decode Files or Information – ‘Deobfuscate/Decode Files or Information.’

Indicators of Compromise

  • [Domain/Host/URLs] Context – dhqidgnmst61lc8gboy0qu4.webdav.drivehq.com, dhqidlu10mna2tuk2qfoaew.webdav.drivehq.com, and many others listed in the article
  • [Hash] LNK Files – 485d446c5892b931c0a3a238dca84bebb787052c877deb73f02ae5ee5632de9d, a2144301067495656391aaa937e47b27706d7db8ea7fd12412e7796196f91fe8, and other LNK hashes
  • [Hash] DLL Files – d6fcf0bcebcac7aa5e7b21b189dbd89f314f79871b770911a7d7b780207fb83d, d0b0f7842587afe7e23fc0218fd0a391996e72b1a804a6bfc33e97d9aecb6b2e
  • [Hash] EXE File – 19cd76a94c55380cc6b053b05eb8896fa1329f03d65a7937225196c356bb0c6a
  • [Hash] HTML Files – 9851dbd8a7e9b52e6745b7fb2ff854ce573d4a56be0cd0b700a30eca15e331e5
  • [Hash] PDF Files – bd33b3aa897df0702913dbecd5ad2f7e63df11f4c2a7e461dad7f89abe218a45, 540744100c8a0eba6c4d24fcee5df40a274ecd51f33c41e11dbe482bd32d271d, and others
  • [Hash] ISO File – cef2c8a040fe4d27843f601b76c13169fcc0f1d5c7f20e71e830967dffa89baa
  • [Hash] ZIP File – c7bdce98567809f96907d5a005ae7ff8295c63b9d93aa2a9846f903d688fd657
  • [Hash] ASYNCRAT From Memory – db27ba01238ce49683b68bc9c2b925caac6008ae178d14c0dce4cce161bde746

Read more: https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint