"Hackers Abusing Windows Search Feature to Install Remote Access Trojans"

Hackers could exploit a legitimate Windows search feature to download arbitrary payloads from remote servers and compromise targeted systems with Remote Access Trojans (RATs) such as AsyncRAT and Remcos RAT. According to Trellix, the novel attack technique makes use of the "search-ms:" URI protocol handler, which allows applications and HTML links to launch custom local searches on a device. The technique also involves the "search:" application protocol, which is a mechanism for calling the desktop search application on Windows. Attackers are directing users to websites that exploit the 'search-ms' functionality through JavaScript on the page. This technique has been expanded to include HTML attachments. In such attacks, threat actors have been observed crafting deceptive emails with embedded hyperlinks or HTML attachments containing URLs redirecting users to compromised websites. This causes the execution of JavaScript that uses the URI protocol handlers to perform searches on a server under the attacker's control. This article continues to discuss the abuse of a legitimate Windows search feature by hackers to install RATs.

THN reports "Hackers Abusing Windows Search Feature to Install Remote Access Trojans"


 

Submitted by Anonymous on