Attackers Use Windows Screensavers to Drop Malware, RMM Tools
Summary
Attackers are using Windows screensaver (.scr) files to deliver malware and remote monitoring and management (RMM) tools. The technique bypasses some security controls that are typically applied to executable files, making detection more difficult. Researchers have noted that .scr files, while technically executables, often aren't treated as such by security software.
IFF Assessment
The use of screensavers to deliver malware represents a novel and potentially effective evasion technique against common security controls.
Severity
Defender Context
Defenders need to be aware that attackers are using .scr files to deliver malicious payloads, evading traditional executable-based security measures. Monitor for unusual .scr file execution and network connections. This trend highlights the need for more comprehensive endpoint detection and response strategies that analyze file behavior rather than relying solely on file extensions or signatures.