Malware attacks leveraging Windows File Explorer and the WebDAV protocol have intensified, targeting European corporate networks since February 2024. According to GBHackers News, these campaigns escalated in September 2024.
Exploitation Tactics
Threat actors have been using direct links, URL shortcut files, and LNK shortcuts to covertly open remote WebDAV servers within File Explorer. This method has facilitated the deployment of remote access trojans such as AsyncRAT, XWorm RAT, and DcRAT.
Target and Impact
The intrusions primarily involve phishing emails, with approximately half featuring fraudulent German-language financial invoices. The attacks have predominantly targeted corporate networks across Europe.
Preventive Measures
Researchers identified seven Cloudflare Tunnel domains hosting illicit WebDAV servers. Organizations are advised to disable unnecessary WebDAV client services and monitor for suspicious WebDAV, SMB, FTP, and CIFS traffic to mitigate risks.
