Cybersecurity researchers has recently
uncovered a new and alarming cyber threat that exploits the "search-ms"
URI protocol handler, a lesser-known feature within the Windows
operating system. This protocol, primarily designed to facilitate local
and remote searches, has become a prime target for malicious actors who
are redirecting users to websites containing JavaScript and HTML
attachments. Through the execution of various script files, such as
Batch, Visual Basic, PHP, and PowerShell, attackers can effectively
carry out their nefarious activities with ease.
The attack
commences with phishing emails that cunningly include deceptive
hyperlinks or attachments, enticing unsuspecting users to visit
compromised websites. Upon reaching these deceptive sites, JavaScript is
initiated, effectively launching searches on a remote server using the
"search-ms" protocol. What makes this attack particularly dangerous is
that the search results are displayed within Windows Explorer,
masquerading as legitimate files, such as PDFs. This cleverly crafted
disguise leads users to unwittingly execute malicious code, exposing
their systems to grave security risks.
In a concerning twist, the
researchers also discovered phishing emails posing as urgent requests
for quotations from apparent sales managers. These malicious actors
employ the "search-ms" protocol to download payloads, adding further
complexity to the attack. The multi-step process involved in this
technique makes it challenging to detect and defend against.
The
malicious payloads deployed in these attacks consist of remote access
trojans (RATs), among which the Async RAT and Remcos RAT have been
identified. These RATs grant unauthorized access to compromised systems,
thereby enabling threat actors to pilfer sensitive data, monitor user
activity, execute commands, and even propagate to other interconnected
devices, posing a significant threat to the victim's cybersecurity.
To
safeguard against this emerging threat, users are strongly advised to
exercise utmost caution when clicking on links or downloading files from
unfamiliar sources. Disabling the "search-ms" protocol handler can
serve as an additional preventive measure to bolster system security.
The
attackers behind this campaign have demonstrated a proactive approach
by frequently updating their files, making it arduous for security
measures to identify and intercept the attacks based on static
signatures or known indicators of compromise. Additionally, the
unfettered access to specific file servers provides the attackers with
an easy means to orchestrate subsequent attacks, amplifying the risks
posed by this threat.