Cybercriminals Exploit Windows File Explorer and WebDAV for Covert Malware Distribution
In recent developments, cybercriminals have been exploiting a legacy feature within Windows File Explorer to distribute malware, effectively bypassing traditional web browser security measures and endpoint detection systems. This tactic leverages the Web-based Distributed Authoring and Versioning (WebDAV) protocol to deceive users into executing malicious payloads.
Understanding the WebDAV Exploit
WebDAV is an older HTTP-based network protocol designed for remote file management. Despite Microsoft deprecating native WebDAV support in Windows File Explorer in November 2023, the functionality remains accessible on most systems. Attackers exploit this by sending malicious links that prompt File Explorer to connect directly to remote WebDAV servers, thereby circumventing web browsers and their associated security warnings.
When victims access these links, the remote server appears as a local folder, making downloaded files seem safe. Although Windows provides a default warning when executing files over a remote network, users familiar with legitimate enterprise file shares may overlook these alerts.
Methods of Exploitation
Cybercriminals employ several methods to exploit this vulnerability:
– Direct Linking: Utilizing the `file://` URI scheme, attackers open remote folders directly within the system’s file browser.
– URL Shortcut Files (.url): These files use Windows UNC paths (e.g., `\\exampledomain[.]com@SSL\DavWWWRoot\`) to access remote servers over HTTP or HTTPS without user awareness.
– LNK Shortcut Files (.lnk): These shortcuts contain hidden commands that invoke Command Prompt or PowerShell to silently download and execute malicious scripts hosted remotely.
A particularly evasive aspect of this tactic is that merely opening a local directory containing a malicious `.url` file with a UNC path triggers a DNS lookup. This action sends a TCP SYN packet to the attacker’s infrastructure, indicating that the payload is active even if the user never clicked the file.
Malware Payloads and Targeting
Since late 2024, there has been a surge in campaigns deploying Remote Access Trojans (RATs) to gain unauthorized system control. Reports indicate that 87% of Active Threat Reports (ATRs) associated with this tactic deliver multiple RATs, notably XWorm RAT, Async RAT, and DcRAT.
These campaigns primarily target European corporate networks. Approximately 50% of the phishing emails are written in German, often disguised as finance or invoice documents, while 30% are in English.
To obscure their infrastructure, threat actors create short-lived WebDAV servers using free Cloudflare Tunnel demo accounts hosted on `trycloudflare[.]com`. This approach routes malicious traffic through legitimate Cloudflare infrastructure, complicating detection efforts for security teams before the attackers deactivate the temporary servers.
Indicators of Compromise
Security researchers have identified several malicious Cloudflare Tunnel domains associated with these campaigns. Organizations are advised to monitor network traffic for connections to unfamiliar domains, especially those resembling Cloudflare Tunnel addresses.
Mitigation Strategies
To protect against these exploits, consider the following measures:
1. Disable WebDAV Support: If not required, disable WebDAV support in Windows File Explorer to prevent unauthorized connections to remote servers.
2. User Education: Train users to recognize and avoid suspicious links and email attachments, emphasizing the risks of executing files from unknown sources.
3. Network Monitoring: Implement monitoring solutions to detect unusual network traffic patterns, such as unexpected connections to external WebDAV servers.
4. Endpoint Protection: Ensure that endpoint protection solutions are updated to detect and block known RATs and other malware associated with these campaigns.
5. Patch Management: Regularly update operating systems and software to address known vulnerabilities and reduce the attack surface.
By understanding the methods employed by cybercriminals and implementing robust security measures, organizations can better defend against these sophisticated malware distribution tactics.
