The SCR Malware Hack Explained

An in-depth examination of the malware and how to protect yourself

An introduction to social engineering

The attacker sent me a DM on Twitter with a decent introduction
The attacker sent a fake website that included a malware download
FVCKRENDER his Metamask and credentials got compromised
Nicole Ruggiero her Metamask and credentials got compromised

What is an SCR file?

The SCR malware analysis

The SCR samples

The initial behavioral analysis suggests that the machine of the victim is being DOSed by a lot of child processes
The strings indicate to gaming-related information, which is most likely a disguise
First string is pointing to a Google Sheet but has since been deleted.
Decompiled in dnSpy it shows this strange function
It outputs a disguised sleep routine
It appears this sample is Virtual Machine-aware and uses attributes such as Disk Size and OS version to determine if it will further infect.
Malware checks for Geo-IP and exits if the user is from a ‘blocked country’ or has an IP address that is blocked
VirusTotal reports positive Trojan alerts
The strings and shown information would point to a credential stealer

Which credentials does it steal?

A screenshot showing the malware’s capabilities

How to protect yourself

Step 1 — Manage your passwords properly

Step 2 — Use Two-Factor Authentication (2FA)

Step 3 — Use a hardware wallet

Step 4 — Keep your seed phrase safe and secure

Step 5 — Enable file extensions

At the upper right, click the dropdown icon shown by a red box
Go to “View” and enable “File Name Extensions” and optionally “Hidden Items”

Step 6 — Do not trust email domains blindly

Step 7 — Install antivirus software

Step 8 — Be aware of known scams

I’m hacked! What happens now?

Thank you for reading!

Julien is a 20-year-old digital artist from the Netherlands who uses vivid abstraction to express his thoughts and ideas. ✦ Say hi! ↬ hi@julien.pro