Skip to content

Cyber security researchers at SOCRadar and Trellix have recently uncovered a new method hackers are using to spread malware on Windows computers. This method takes advantage of a Windows feature called the “search-ms” protocol handler.

What is the “search-ms” protocol handler?

The “search-ms” feature allows you to quickly search for files and folders on your computer or network. When you click on a specially crafted link, it will start a search using the “search-ms” system.

How are hackers abusing this feature?

Hackers are creating phishing emails and websites with links that use the “search-ms” protocol. When you click these links, it secretly searches a hacker-controlled server and shows you fake search results. These fake results look like real files on your computer, but they are actually shortcuts to malware.

A screenshot of a computerDescription automatically generated

If you click these malicious shortcuts, it will download malware onto your computer. This allows hackers to infect your computer with dangerous programs called “remote access trojans” or RATs.

What can RAT malware do?

Once installed, RAT malware allows hackers to:

  • Steal sensitive information like passwords and financial data
  • Remotely control your computer
  • Use your computer for criminal activities

A diagram of a computer networkDescription automatically generated

Notable Attributes:

  • The use of unique file signatures/fingerprints and frequent updates to malicious files are employed to obscure their true nature, making it harder for security software and measures to detect and prevent them.
  • Additionally, the use of SSL encryption throughout the attack further enhances the ability to evade network security measures.

How to stay safe:

  • Be very cautious of email links, even if you know the sender. Hover over links to check the real destination.
  • Don’t download files from websites you don’t fully trust.
  • Keep your anti-virus software up-to-date.
  • Consider disabling the “search-ms” feature if you don’t need it. This prevents abuse.

While this threat sounds scary, just exercising caution with links and downloads will go a long way in keeping you safe. Be skeptical of anything encouraging you to download files or shortcuts.

Related Links: