Hackers Exploit Windows Search Feature to Install Remote Access Trojans

July 31, 2023

Hackers Exploit Windows Search Feature to Install Remote Access Trojans

Unknown malicious actors are currently exploiting a zero-day vulnerability in the Windows search feature, specifically targeting the search-ms: URI handler in Windows 10. This vulnerability allows hackers to execute remote malware through a Word document, similar to the Follina vulnerability (CVE-2022-30190) [2].

Description

The search-ms URI protocol handler in Windows 10 is being used by attackers to launch custom local searches on targeted devices. They are directing users to websites that exploit this functionality using JavaScript hosted on the page [1], and this technique has also been extended to HTML attachments [1] [5]. To deceive users [4], the attackers create deceptive emails with hyperlinks or HTML attachments that redirect them to compromised websites [1] [5] [6], triggering the execution of JavaScript that performs searches on an attacker-controlled server [1] [6].

When users click on the link [5], a warning message is generated, but if approved [1], the search results of remotely hosted malicious shortcut files are displayed in Windows Explorer disguised as trusted icons [1]. This technique conceals the fact that the user is being provided with remote files and gives the illusion of trust [1], increasing the likelihood of the user unknowingly executing malicious code [1]. Clicking on the shortcut files leads to the execution of a rogue DLL or PowerShell scripts that download additional payloads and install AsyncRAT and Remcos RAT [1]. These RATs allow threat actors to remotely control the compromised hosts [1] [5] [6], steal sensitive information [1] [5] [6], and sell access to other attackers [1] [6].

This zero-day vulnerability affects Windows 7 SP1 up to Windows 11 [2], and attackers could potentially use it for malicious actions [2], such as linking phishing emails to alleged security updates via search-ms-URI [2]. They can create sophisticated phishing campaigns by hosting Windows shares publicly and spreading malware through the Windows search windows opened by phishing attacks or malicious Word documents [2]. To mitigate this attack path [2], it is suggested to back up and delete the registry key for the search-ms URI protocol handler. However, removing the key may not be enough to fix the vulnerability [2], as the protocol handler could still be present in other registry branches [2].

Conclusion

Given the potential for adversaries to use the URI protocol handler method to evade traditional security defenses and distribute malware [1], it is crucial to exercise caution when clicking on suspicious URLs or downloading files from unknown sources [1]. Security teams should anticipate an increase in attacks using this method and consider implementing email filters [3], URL rewriting [3], and outbound internet browsing restrictions to limit the impact of search-ms attacks [3]. A layered security strategy [3], including email gateways [3], firewalls [3], content inspection tools [3], and threat intelligence [3], can help reduce the risk of this attack vector [3]. Additionally, emerging AI-based solutions can dynamically monitor baseline behaviors to manage search-ms issues effectively.

The “search-ms” URI protocol handler in Windows can be exploited by threat actors to deceive users and execute malicious code [4]. This attack technique involves using JavaScript on websites and HTML attachments to exploit the protocol [4]. Phishing emails and compromised websites are used to deliver a malicious payload disguised as urgent sales quotation requests [4]. The attack can also be triggered through embedded scripts in HTML files [4]. Remote access trojans like Async RAT and Remcos RAT are deployed to gain unauthorized control over infected systems [4]. The attacker continuously updates files to avoid detection by security products [4]. In addition, attacker-controlled file servers pose a significant security risk [4]. Users should be cautious of the exploitation of the “search” / “search-ms” URI protocol handler to prevent the delivery of malicious payloads to their systems [4].

References

[1] https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.html
[2] https://borncity.com/win/2022/06/02/searchnightmare-windows-10-search-ms-uri-handler-0-day-exploit-mit-office-2019/
[3] https://www.scmagazine.com/news/attackers-exploit-windows-based-search-ms-protocol
[4] https://cybersecuritynews.com/hackers-exploit-windows-search/
[5] https://patabook.com/technology/2023/07/29/hackers-abusing-windows-search-feature-to-install-remote-access-trojans/
[6] https://secoperations.wordpress.com/2023/07/29/hackers-abusing-windows-search-feature-to-install-remote-access-trojans/