The attack starts with a phishing email pretending to be an invoice, or something similar. It carries a .ZIP archive of an HTML file, and thus successfully bypasses antivirus and email security programs that overlook compressed contents.
The HTML file opens up the browser and forces it to directly interact with Windows Explorer’s search function. In turn, Windows Explorer is tasked with searching for items labeled as “INVOICE”, in a specific directory – a server tunneled via Cloudflare. Furthermore, the search is renamed to “Downloads”, ultimately tricking victims into thinking they were actually looking at the file they “downloaded”, and not the .ZIP archive.
Among the files then presented to the victims is a shortcut document (.LNK) that points to a batch script (.BAT) hosted on the same server. This script, if activated, triggers additional malicious operations.
Unfortunately, by the time they started analyzing the campaign, the server was shut down, preventing the researchers from obtaining the payload. Therefore, it is impossible to know what kind of malware the attackers were distributing.
Mitigation Strategies
To mitigate the threat, users could disable search-ms/search URI protocol handlers by deleting associated registry entries. Alternatively, they should be wary of incoming emails carrying attachments: “As users continue to navigate an increasingly complex threat landscape, ongoing education, and proactive security strategies remain paramount in safeguarding against such deceptive tactics,” the researchers concluded.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!