Threat Actors Use Windows Screensaver Files as Malware Delivery Method

Cybersecurity experts at Symantec have uncovered a sophisticated phishing campaign targeting various sectors across multiple countries, leveraging the Windows screensaver file format (.scr) as a vector for malware distribution.

This method, while seemingly innocuous, allows attackers to execute malicious code under the guise of a harmless screensaver file.

Campaign Overview

The campaign, observed by Symantec, involves threat actors impersonating a reputable Taiwanese logistics company.

The phishing emails, written in Chinese, purport to provide updates on international shipments, specifically targeting recipients with a fictitious logistics notification.

The email subject line reads, “//AMD ISF + AMD BL DRAFT // 聯盛 – 裝船通知單 – 4/7 結關 KAO TO ATLANTA,GA VIA NYC CFS【友鋮】SO.N023,” and requests verification of shipping details along with accompanying documents.

Malicious Payload Delivery

Attached to these emails is a malicious archive titled “景大 台北港ISF (032525) – invoice# JN-032525C – KAO TO ATLANTA,GA VIA NYC CFS【友鋮】SO.N023.xlsx.rar.”

Within this archive lies a .SCR file, which, when executed, deploys ModiLoader, a Delphi-based malware loader known for its versatility in deploying various types of malware.

This loader has been observed distributing threats like Remcos, Agent Tesla, MassLogger, AsyncRAT, and Formbook, among others.

The campaign targets a diverse range of sectors including Industrial Machinery Manufacturing, Publishing, Broadcasting, Automotive Manufacturing, Electronics, Adhesive Products Manufacturing, Conglomerate (Automotive, Aerospace), Sanitary Ware Retail, Abrasive Products Manufacturing, and Theme Park industries.

The countries affected include Japan, the United Kingdom, Sweden, the United States, Hong Kong, Taiwan, Thailand, and Malaysia.

Symantec has implemented several protective measures to mitigate this threat:

• Adaptive-based: Identified as ACM.Untrst-RunSys!g1, Symantec’s adaptive protection mechanisms are designed to detect and block such threats.
• Carbon Black-based: VMware Carbon Black products have policies in place to block all types of malware, including known, suspect, and potentially unwanted programs (PUPs), with a recommendation to delay execution for cloud scanning to leverage the reputation service.
• Email-based: Symantec’s email security products and Email Threat Isolation (ETI) technology provide an additional layer of defense against phishing attempts.
• File-based: The malware is detected as Trojan.Gen.MBT and Scr.Malcode!gen19, ensuring that malicious files are identified and blocked.
• Machine Learning-based: Heur.AdvML.B is used to detect advanced machine learning-based threats.

This campaign underscores the ongoing evolution of cyber threats, where attackers continue to exploit seemingly benign file formats to deliver sophisticated malware.

Organizations are urged to remain vigilant, update their security measures, and educate employees about the risks associated with opening unexpected attachments, even if they appear to come from legitimate sources.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!