Cybercrime campaign exploits Windows Search to spread malware

A new, sophisticated cybercrime campaign has been discovered that exploits Windows search functionality to trick users into downloading malware. Security researchers at Trustwave SpiderLabs identified this campaign and described it as both ingenious and limited in scope.

The attack begins with a phishing email masked as an invoice. This email includes a ZIP file containing an HTML document, bypassing antivirus and email security systems that usually overlook compressed files.

Upon opening the HTML file, a browser is launched and interacts with Windows Explorer’s search function. This search is programmed to look for ” INVOICE ” files in a specific directory hosted on a server routed through Cloudflare. To further deceive victims, the search is renamed to “Downloads,” making users believe they are accessing a file they have just downloaded, rather than the contents of the ZIP archive.

Among the displayed files is a shortcut (.LNK) which links to a batch script (.BAT) on the same server. When executed, this script triggers additional malicious operations.

Unfortunately, by the time the researchers started analyzing the campaign, the server had been shut down, thus preventing them from identifying the exact nature of the malware being distributed. To mitigate this threat, users can disable the search-ms/search URI protocol handlers by deleting specific registry entries and additionally be very careful about emails with attachments.