Cybercriminals are exploiting a legacy feature of Windows File Explorer to deliver malware, successfully evading traditional web browser defenses and endpoint detection systems. This strategy leverages Web-based Distributed Authoring and Versioning (WebDAV) to deceive users into running harmful software, as reported by Kahng An from the Cofense Intelligence Team.
The Vulnerability in WebDAV
WebDAV, an older protocol for remote file management, is being manipulated by attackers despite Microsoft’s decision to formally deprecate its support in Windows File Explorer as of November 2023. Nonetheless, the functionality is still accessible on many systems. Cybercriminals exploit this by directing victims to malicious links that cause File Explorer to connect directly to rogue WebDAV servers.
This technique bypasses web browsers entirely, meaning that users do not encounter standard browser security alerts or download prompts. The remote server masquerades as a local folder, which can mislead users into believing that downloaded files are safe and stored locally. Although Windows issues a default warning when executing files from a remote network, this alert is often disregarded by users accustomed to legitimate file shares.
Methods of Exploitation
Three main methods are used by attackers to execute this exploit, frequently involving the DavWWWRoot keyword to target a remote server’s root directory. First, direct linking uses the file:// URI scheme to open remote folders directly within the system’s file browser. Secondly, URL shortcut files (.url) employ Windows UNC paths to invisibly connect to remote servers over HTTP or HTTPS. Lastly, LNK shortcut files (.lnk) typically contain concealed commands that activate Command Prompt or PowerShell to download and run malicious scripts without user knowledge.
A unique technical characteristic of this tactic is the automatic DNS lookup triggered when a directory containing a malicious .url file with a UNC path is opened. This sends a TCP SYN packet to the attacker’s infrastructure, indicating payload activation even if the file is not actively clicked by the user.
Impact and Future Outlook
Since late 2024, there has been a surge in campaigns utilizing this method, primarily aimed at deploying Remote Access Trojans (RATs) to illicitly control systems. Cofense reports that 87% of Active Threat Reports linked to this tactic involve multiple RATs, with XWorm RAT, Async RAT, and DcRAT being the most prevalent.
These attacks predominantly target European corporate networks, with roughly 50% of phishing emails composed in German, often disguised as financial documents, while 30% are in English. To evade detection, threat actors set up transient WebDAV servers using free Cloudflare Tunnel demo accounts hosted on trycloudflare[.]com. This tactic complicates detection efforts by routing malicious traffic through legitimate Cloudflare infrastructure before the temporary servers are taken offline.
Security teams are advised to monitor for unusual network activity originating from Windows Explorer and educate users to check the address bar in File Explorer for unfamiliar IP addresses. The broader risk is that similar abuses could potentially extend to other enterprise protocols like FTP and SMB.
