BleepingComputer reports that malicious HTML attachments exploiting the Windows search protocol "search-ms URI" have been leveraged by threat actors to facilitate the distribution of malware-distributing batch files as part of a new phishing campaign.
Attacks commence with the delivery of a phishing email with a ZIP file containing an invoice document-spoofing HTML file aimed at bypassing antivirus systems, according to a report from Trustwave SpiderLabs.
Clicking the HTML file opens a malicious URL in the target's browser, which would enable the searching for all "INVOICE" labeled items and the renaming of the search display, as well as the utilization of Cloudflare services to redirect obtained information to the attacker-controlled server and obfuscating that server, said researchers. Another LNK file purporting to be an invoice also allows the execution of a batch script, the function of which is unknown.
Organizations have been urged to mitigate the threat by executing the "reg delete HKEY_CLASSES_ROOTsearch /f" and "reg delete HKEY_CLASSES_ROOTsearch-ms /f" commands.