This Windows tool is again hijacked by cybercriminals

Cybercriminals exploit the Windows search protocol to distribute malware. This sophisticated tactic allows hackers to trick users into disguised attachments.

Security researchers at Trustwave SpiderLabs have discovered that new cybercriminals are exploiting the Windows search protocol, or URI Search-ms. This Microsoft protocol allows you to initiate custom searches on your computer, so you can easily find files or information. According to the report by Trustwave SpiderLabs, hackers have found a way to abuse this feature to “distribute malware.”

Initially, cybercriminals first forward “a suspicious email containing an HTML attachment” to their target. To appease victims’ suspicions, the hackers disguise the attachment as a harmless document, such as an invoice. In addition, the HTML file is hidden in a “ZIP archive,” which allows the phishing attack to go unnoticed.

If the user opens the HTML file, the computer will automatically search for servers held by cybercriminals through the Search-ms URI protocol. For its part, the user will not notice that they are now on a remote server. It will convince itself that you are searching directly on your computer.

This is where cybercriminals get what they want. As Trustwave SpiderLabs explains, a redirect URL in the HTML file will use the Windows search protocol to retrieve malicious documents from servers remotely. These documents, which cybercriminals have dubbed “invoices,” will be able to install viruses on your computer. From there, we can imagine that hackers will be able to dig into the machine’s sensitive data.

This isn’t the first time hackers have exploited the Windows search protocol to orchestrate cyberattacks. As we explained last March, the protocol has already been hijacked by Russian hackers from Forest Blizzard or Fancy Bear. They used the tool to trick the user with Booby Trap PDFs.

In addition, some hackers rely on the Quick Assist feature to deploy ransomware on Windows computers. Finally, it should be noted that extortion specialists sometimes abuse the BitLocker feature, which is meant to protect your data, to achieve their purposes.