Malware attacks weaponizing Windows File Explorer, WebDAV underway

Multiple malicious payloads have been distributed in attacks exploiting the Windows File Explorer and WebDAV protocol as part of campaigns that have been ongoing since February 2024 but only significantly escalated in September 2024, according to GBHackers News.

Threat actors have used direct linking, URL shortcut files, and LNK shortcut files to covertly open remote WebDAV servers in File Explorer and mostly facilitate the simultaneous deployment of remote access trojans, particularly AsyncRAT, XWorm RAT, and DcRAT, a report from Cofense revealed. Intrusions primarily involved phishing emails aimed at European corporate networks, with half of the attacks entailing fraudulent financial invoices in the German language, said researchers, who also identified seven Cloudflare Tunnel domains hosting illicit WebDAV servers.

Aside from deactivating unneeded WebDAV client services, organizations' IT teams have also been advised to track for suspicious WebDAV or SMB traffic, as well as the potential exploitation of the FTP and CIFS networking protocols.