Recently, cyber security researchers at Trellix Advanced Research Center discovered a new and sophisticated attack technique that takes advantage of a powerful yet lesser-known feature of the Microsoft Windows operating system: the “search-ms” URI protocol handler. While the Windows search feature is designed to help users locate files and folders efficiently, its potential misuse as an attack vector has raised significant concerns in the cyber security community.

Understanding the “search-ms” URI Protocol Handler

The “search-ms” URI protocol handler is a versatile tool that allows both local and remote searches on Windows systems. It provides a seamless way for users to find files, folders, and other items, streamlining their daily tasks. However, this same functionality has caught the attention of malicious actors who seek to exploit it for nefarious purposes.

Exploitation Techniques

The attack technique associated with the “search-ms” URI protocol handler involves leveraging JavaScript on websites and HTML attachments to compromise target systems. By exploiting the “search-ms” protocol, threat actors can effectively expand their attack surface. Moreover, researchers have identified that attackers are not limiting themselves to the “search-ms” protocol alone; they are also exploring the potential of the “search” protocol for their malicious campaigns.

Phishing Emails and Malicious Payloads

One of the primary attack vectors utilising the “search-ms” URI protocol handler is phishing emails. Threat actors use various social engineering tactics to deceive users into clicking on malicious links or downloading seemingly innocuous file attachments. These phishing emails are often crafted to appear urgent or legitimate, tricking victims into interacting with the malicious content.

Once a user falls victim to the phishing email and clicks on the link or opens the attachment, they are unwittingly redirected to a compromised website that exploits the “search-ms” URI protocol handler. This allows the attacker to execute malicious code on the victim’s system, initiating the infection chain.

Sophisticated PowerShell-Based Attacks

In their investigation, security analysts at Trellix found multiple variants of PowerShell scripts used in these attacks. These scripts serve diverse purposes, from downloading payloads in the form of ISO, DLL, and EXE files, to executing VBS (Visual Basic Script) files. The attackers demonstrate a keen understanding of PowerShell’s capabilities, enabling them to deploy potent remote access trojans (RATs) such as Async RAT and Remcos RAT.

Implications of the Remcos RAT

One notable characteristic of the Remcos RAT is its use of null byte injection in its EXE payload. This technique aims to evade detection by security products and antivirus solutions, posing a significant challenge for defenders. To stay ahead of the attackers, security teams need to adopt proactive measures and continuously update their defences to detect and mitigate null byte injection techniques effectively.

Key Recommendation

The exploitation of the “search-ms” URI protocol handler in Windows represents a novel and concerning cyber threat. To protect against this attack vector, users and organisations must exercise caution when interacting with untrusted links and files, be vigilant against phishing attempts, and keep their systems and antivirus tools updated with the latest security patches. By maintaining a proactive security posture, defenders can effectively counter the persistent efforts of malware authors seeking to exploit vulnerabilities in the active cyber threat landscape. Awareness, preparedness, and collaboration within the cyber security community are fundamental in the ongoing battle against emerging cyber threats.