Cybercriminals continue to exploit the Windows screensaver file format (.SCR) as a vector for malware distribution.
While screensavers may seem innocuous, they are executable files capable of performing any action a standard program can, including deploying loaders, backdoors, keyloggers, or ransomware.
A recent campaign observed by Symantec highlights the persistent use of this method in sophisticated phishing attacks.
Ongoing Campaign Targets Global Industries
In a recent attack, threat actors impersonated a prominent Taiwanese freight forwarding and logistics company to deliver malware.
The phishing emails, written in Chinese, were crafted to appear as legitimate logistics updates.
They informed recipients about a fictitious shipment scheduled to clear customs on April 7 from Kaohsiung, Taiwan, to Atlanta, Georgia, via New York.
The emails requested verification of the shipping order and included an attachment titled “景大 台北港ISF (032525) – invoice# JN-032525C – KAO TO ATLANTA,GA VIA NYC CFS【友鋮】SO.N023.xlsx.rar.”
The malicious archive contained a disguised .SCR file which, when executed, deployed ModiLoader a malware loader written in Delphi.
ModiLoader is known for delivering various malicious payloads such as Remcos, Agent Tesla, MassLogger, AsyncRAT, and Formbook.
These payloads enable data theft and remote access to compromised systems.
This campaign primarily targeted industries such as automotive manufacturing, industrial machinery manufacturing, electronics, publishing, broadcasting, and theme parks.
Victims were located across multiple countries, including Japan, the United Kingdom, Sweden, the United States, Hong Kong, Taiwan, Thailand, and Malaysia.
The broad scope of sectors and geographies underscores the attackers’ intent to maximize their reach and impact.
Technical Details of the Malware
The .SCR file format is frequently abused due to its ability to execute commands like any other executable file.
In this campaign:
- The attackers embedded ModiLoader within the screensaver file.
- Upon execution, ModiLoader acted as a delivery mechanism for additional malware.
- The loader retrieved secondary payloads from compromised servers or cloud storage platforms like Microsoft OneDrive.
ModiLoader has been used in various campaigns over the years due to its versatility and ability to evade detection.
It often employs techniques such as obfuscation and compression to bypass security filters.
According to the Report, Symantec has implemented multiple layers of protection against this threat:
- File-Based Detection: Threat signatures such as Trojan.Gen.MBT and Scr.Malcode!gen19 ensure that malicious files are identified.
- Machine Learning: Advanced heuristics (e.g., Heur.AdvML.B) enhance detection capabilities.
- Email Security: Symantec’s email security products block malicious attachments while Email Threat Isolation (ETI) adds an extra layer of defense.
- Behavioral Analysis: Adaptive detection mechanisms like ACM.Untrst-RunSys!g1 analyze suspicious behavior in real-time.
Additionally, VMware Carbon Black products provide robust protection by blocking known and suspected malware types while delaying execution for cloud-based reputation checks.
The abuse of Windows screensaver files reflects a broader trend of attackers leveraging unconventional file formats to evade detection.
By masking malicious payloads in formats like .SCR or even CAB headers disguised as batch files (as seen in other campaigns), threat actors aim to bypass traditional security measures.
Organizations must remain vigilant against such threats by adopting comprehensive cybersecurity strategies that include endpoint protection, email filtering solutions, and user awareness training.
As attackers continue to refine their methods, proactive defense remains critical in mitigating risks associated with these campaigns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
 as a vector for malware distribution.){kind=link}