Join us as we delve into the mysterious world of the "search" or "search-ms" URI protocol attack. Threat actors craft deceptive emails and compromised websites to trick users into executing malicious code disguised as trusted files.

Summary:

  • This article discusses the exploitation of the “search-ms” URI protocol handler in Windows as a novel attack technique.
  • Attackers use JavaScript on websites and HTML attachments to deceive users by displaying remote files in Windows Explorer disguised as PDFs or other trusted icons, just like local search results, leading to the execution of malicious code.
  • Phishing emails with deceptive links or attachments redirect users to compromised websites.
  • Once users click on the link, they are prompted with a “Open Windows Explorer” warning.
  • Attackers use SSL encryption to conceal their activities, bypassing traditional network security controls.
  • PowerShell is used as an alternative technique for executing harmful commands.
  • Attackers download and use Remote Access Trojans (RATs) to gain control over infected systems. To evade detection, attackers frequently update files and utilize various file types.
  • Users are advised to exercise caution and avoid clicking on suspicious links or downloading files from unknown sources to mitigate risks.