Searchtabs.io Comes With Persistence Mechanism

Searchtabs.io is the URL of a counterfeit search engine. While examining suspicious websites, our team stumbled upon a deceptive webpage that used explicit content to entice users into downloading an installation setup. This particular setup included a browser hijacker that promotes the use of the searchtabs.io website.

While software falling into this category typically alters browser settings to endorse certain websites, this setup, in our testing environment, did not make any changes to the browser. It's worth noting that this hijacker employs a technique to ensure its persistence, making it challenging for users to regain control of their browsers.

Once we installed the setup that promotes searchtabs.io on our test machine, we discovered that it affects new browser tabs and windows. Whenever a new tab or window is opened, it automatically redirects to searchtabs.io, with each redirection featuring a randomized search query.

Fake search engines are labeled as such because they usually cannot provide legitimate search results and instead redirect users to well-known internet search engines like Bing, Google, or Yahoo. Browser hijacking software tends to trigger redirections to illegitimate search engines when users open new tabs or windows or enter search queries in the URL bar. However, as previously mentioned, the behavior of the browser hijacker promoting searchtabs.io is distinct from the norm.

Additionally, this software employs a technique to ensure its persistence. These redirections are initiated through a process known as "UITheme.exe." However, terminating this process alone does not eliminate the redirections. The browser hijacker utilizes a tool called "ServiceUI" from the Microsoft Deployment Toolkit, which ensures that "UITheme.exe" is restarted even if it is manually terminated through the Windows Task Manager or following system reboots.

What Are Some of the Common Methods Malicious Software Uses to Achieve Persistence?

Malicious software often employs various techniques to achieve persistence on a compromised system. These methods ensure that the malware remains active and operational even after system reboots or attempts to remove it. Here are some common methods used for achieving persistence:

• Startup Programs and Services: Malware may add entries to system startup programs or services, ensuring that it runs every time the system boots.
• Registry Keys: Malware can modify the Windows Registry to create or modify keys and values that execute the malware during system startup.
• Scheduled Tasks: Malicious software can create scheduled tasks that run at specified intervals, enabling the malware to persistently run in the background.
• Autostart Locations: Malware may add itself to autostart locations, such as the Startup folder in the Start menu or the Startup folder in the All Users directory.
• Browser Extensions and Add-ons: Browser-based malware, such as adware or browser hijackers, can install extensions or add-ons in web browsers to control and manipulate user browsing.
• Service Creation: Malicious software can create new Windows services or manipulate existing ones to ensure its continued operation.
• DLL Injection: Malware can inject itself into legitimate processes or load its dynamic-link library (DLL) into system processes, disguising its presence.
• File System Changes: Malware may create hidden or system files and folders to store its components or configuration data, making it difficult to detect.
• Bootkit or Rootkit Installation: Advanced malware can install bootkits or rootkits, which compromise the boot process or the core operating system, making them extremely difficult to detect and remove.