In a recent blog post, Trellix’s Advanced Research Center has unveiled a novel attack technique that leverages the “search-ms” URI protocol handler, a lesser-known feature of the Windows operating system. This innovative method allows threat actors to exploit unsuspecting users by crafting deceptive emails and compromised websites that trick users into executing malicious code disguised as trusted files.
The malicious payloads delivered through this campaign are primarily remote access trojans (RATs), specifically Async RAT and Remcos RAT. These RATs are nefarious programs that provide cybercriminals with unauthorized remote control over a compromised system. Upon successful infection, these RATs can carry out a wide array of malicious tasks. These tasks can range from pilfering confidential data, keeping tabs on user behavior, or executing remote commands, to propagating themselves to other devices connected to the infected system.
Mitigating this attack is as simple as deleting the following registry keys:
Upon further analysis, we have successfully created a detection mechanism for this type of attack. This strategic development significantly enhances the protection of Blackpoint’s partners, fortifying their defenses against such threats.
In summary, the “search” / “search-ms” URI protocol handler has become a powerful tool for cybercriminals, and we can expect more attacks using this method. It allows attackers to deliver harmful payloads while avoiding standard security defenses. To stay safe, users should be cautious with unfamiliar links, avoid clicking on suspicious URLs, and avoid downloading files from unknown sources.