Security News > 2023 > July > Hackers Abusing Windows Search Feature to Install Remote Access Trojans

A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the "Search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the "Search:" application protocol, a mechanism for calling the desktop search application on Windows.

It's worth noting that clicking on the link also generates a warning "Open Windows Explorer?," approving which "The search results of remotely hosted malicious shortcut files are displayed in Windows Explorer disguised as PDFs or other trusted icons, just like local search results," the researchers explained.

"This smart technique conceals the fact that the user is being provided with remote files and gives the user the illusion of trust. As a result, the user is more likely to open the file, assuming it is from their own system, and unknowingly execute malicious code."

Regardless of the method used, the infections lead to the installation of AsyncRAT and Remcos RAT that can be used by the threat actors to remotely commandeer the hosts, steal sensitive information, and even sell the access to other attackers.

With Microsoft steadily taking steps to clamp down on various initial access vectors, it's expected that adversaries could latch onto the URI protocol handler method to evade traditional security defenses and distribute malware.

"It is crucial to refrain from clicking on suspicious URLs or downloading files from unknown sources, as these actions can expose systems to malicious payloads delivered through the 'search' / 'search-ms' URI protocol handler," the researchers said.

News URL

https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.html