Security researchers have uncovered a sophisticated attack technique that malicious actors are using to compromise targeted systems with dangerous Remote Access Trojans (RATs) like AsyncRAT and Remcos RAT.
The attackers are taking advantage of a legitimate Windows search feature, making it a major new potential threat for users.
Exploiting the “search-ms” URI Protocol Handler The attackers are utilizing the “search-ms” URI protocol handler, which allows applications and HTML links to perform custom local searches on a device. They are also leveraging the “search:” application protocol, a mechanism to call the desktop search application on Windows. By directing users to compromised websites containing JavaScript, they trick the system into executing malicious code.
Deceptive Emails and HTML Attachments:
The attackers are luring victims with deceptive emails containing hyperlinks or HTML attachments that redirect users to compromised websites. When the user clicks on the link, a warning message “Open Windows Explorer?” appears.
Unfortunately, upon approval, the search results are displayed as disguised PDFs or trusted icons, concealing the fact that remote files are being provided.
Illusion of Trust:
This smart technique creates an illusion of trust, as users believe the files are from their own system. Unknowingly, they execute the malicious code, leading to the installation of rogue dynamic-link libraries (DLLs) using the regsvr32.exe utility or the execution of PowerShell scripts to download additional payloads.
The Dangers of AsyncRAT and Remcos RAT:
Once infected, the victim’s system becomes vulnerable to remote control by threat actors. They can exploit this access to steal sensitive information, compromise data, or even sell access to other attackers, magnifying the risks to both individuals and organizations.
Protect Yourself from Attack:
Microsoft is continuously working to strengthen security defenses against various initial access vectors. However, users must remain vigilant and avoid clicking on suspicious URLs or downloading files from unknown sources. Malicious payloads are delivered through the “search” / “search-ms” URI protocol handler, making it crucial to exercise caution.
– Authored by contributor Anthony J. Daw
