Cybersecurity experts at Cofense Intelligence have recently identified a sophisticated and ongoing campaign in which malicious actors exploit vulnerabilities within Windows File Explorer to disseminate malware. By leveraging the outdated WebDAV protocol, these attackers are deceiving unsuspecting victims into downloading Remote Access Trojans (RATs), effectively evading the security measures typical of web browsers and some Endpoint Detection and Response (EDR) systems.
### Understanding the WebDAV Exploit
WebDAV, short for Web-based Distributed Authoring and Versioning, is an HTTP-based file management protocol that provides greater functionality than standard HTTP. Despite Microsoft deprecating this protocol in November 2023, it remains integrated within Windows File Explorer, providing a unique vector for cybercriminals. Attackers take advantage of this integration by dispatching malicious links that open remote WebDAV servers directly within the familiar interface of File Explorer. This deceptive practice leads victims to mistakenly believe they are interacting with standard local folders, significantly reducing the likelihood of raising suspicion about the files they are examining.
Threat actors deploy three primary techniques in executing these attacks: Direct Linking via file:// URIs, URL shortcut files (.url), and LNK shortcut files (.lnk). These methods allow the files to either directly open remote paths or execute harmful scripts from the attackers’ servers. Notably, if a .url file incorporates a Windows UNC path, simply accessing the local folder that contains the shortcut can trigger an automatic DNS lookup. This action not only serves to inform the attackers that the malicious payload is active but can further compromise the victim’s machine.
To obscure their tracks, attackers are increasingly utilizing free demo instances of Cloudflare Tunnels (example: trycloudflare.com) to host their malicious WebDAV servers. When a victim connects to these compromised servers, the network traffic appears to be routed through legitimate Cloudflare infrastructure, which complicates detection efforts for cybersecurity analysts who might mistakenly classify such traffic as safe. Furthermore, these rogue servers are generally short-lived, which impedes security researchers from examining the payloads after the campaigns have concluded.
### Malware Payloads and Targeted Victims
Cofense indicates that this malicious tactic has been operating since February 2024, with a substantial increase in campaign volume noted in September 2024. The primary payload—present in 87% of the attacks—consists of several RATs being delivered simultaneously. Among the most frequently observed malware families are XWorm RAT, Async RAT, and DcRAT.
Notably, these campaigns are predominantly targeting European businesses via phishing emails. Data reveals that 50% of the active threat reports linked to this method utilize German-language emails containing fraudulent financial invoices, while 30% employ English-language lures. Such targeted strategies indicate a sophisticated understanding of the organizations and individuals involved in the attacks, tailored to exploit vulnerabilities in digital communication.
### Indicators of Compromise (IOCs)
Recent campaigns have seen multiple Cloudflare Tunnel domains actively hosting malicious WebDAV servers, which represent critical Indicators of Compromise (IOCs) for organizations. IT teams are encouraged to monitor for any unusual outbound traffic directed toward these suspicious addresses. For instance, domains such as tiny-fixtures-glossary-advantage.trycloudflare.com and others have been identified as associated with malicious WebDAV server activities.
Organizations may consider disabling WebDAV client services if such capabilities are not essential for their operational requirements. Moreover, IT departments should closely scrutinize any unusual SMB or WebDAV traffic, particularly connections that appear to be attempting to access unauthorized internet resources via File Explorer. It is worth noting that similar vulnerabilities can also be exploited through networking protocols like FTP and CIFS, underscoring the importance of comprehensive network monitoring.
### Conclusion
The ongoing misuse of Windows File Explorer in conjunction with the WebDAV protocol highlights a significant cybersecurity threat that remains relevant and potent. As threat actors adapt their strategies and exploit weaknesses in outdated systems and protocols, organizations must remain vigilant and proactive. Closing potential entry points, enhancing monitoring efforts, and educating employees about phishing risks are essential measures that can reduce susceptibility to such sophisticated malware delivery mechanisms.