The SCR Malware Hack Explained

An in-depth examination of the malware and how to protect yourself

Malicious malware has been circulating on Twitter, Email, Instagram, and Discord in recent days, stealing people’s Metamask money, tokens, and credentials. You may have already heard about or someone suspicious reached out to you.

An introduction to social engineering

Hackers are using social engineering tricks to get their victims to click a link, download files and install a piece of software but what is social engineering exactly?

The attacker sent me a DM on Twitter with a decent introduction
The attacker sent a fake website that included a malware download
FVCKRENDER his Metamask and credentials got compromised
Nicole Ruggiero her Metamask and credentials got compromised

What is an SCR file?

An SCR file is a screensaver that Windows uses to save energy. It contains a graphic, animation, slide show, or video that you can use as a Windows screensaver. These Windows screensavers were initially designed to extend the life of CRT and plasma display monitors. If a user has specified a screensaver in Windows’ display properties, the system will automatically activate the user’s selected screensaver when the Windows machine has been inactive for a specific amount of time. This is done to keep the power consumption of these display devices to a minimum.

The SCR malware analysis

We had an extensive look at a couple of SCR files are going around. Thanks to Colin Hardy for helping me reverse engineering this malware. More malware analysis and related videos may be found on his YouTube channel here.

The SCR samples

The initial behavioral analysis suggests that the machine of the victim is being DOSed by a lot of child processes
The strings indicate to gaming-related information, which is most likely a disguise
First string is pointing to a Google Sheet but has since been deleted.
Decompiled in dnSpy it shows this strange function
It outputs a disguised sleep routine
It appears this sample is Virtual Machine-aware and uses attributes such as Disk Size and OS version to determine if it will further infect.
Malware checks for Geo-IP and exits if the user is from a ‘blocked country’ or has an IP address that is blocked
VirusTotal reports positive Trojan alerts
The strings and shown information would point to a credential stealer

Which credentials does it steal?

The malware that has been circulating in the NFT community offers a wide range of capabilities. It is capable of stealing virtually everything you have saved on your computer. Here’s a list of what it steals from you.

  • Country
  • City
  • Current PC username + HWID
  • Keyboard layouts
  • Screenshots of the screen
  • Screen resolution
  • Operating system
  • UAC settings
  • Malware admin access
  • User-Agent information about the components of the PC (video cards, processors)
  • Installed antiviruses
  • Tronlink
  • NiftyWallet
  • Metamask
  • MathWallet
  • Coinbase
  • BinanceChain
  • BraveWallet
  • GuardaWallet
  • EqualWallet
  • JaxxxLiberty
  • BitAppWallet
  • iWallet
  • Wombat
  • AtomicWallet
  • MewCx
  • GuildWallet
  • Telegram credentials
  • FTP (FileZilla) credentials
  • Discord token
  • All browser passwords/creditcards/cookies on Chromium (Chrome etc.)
  • All browser passwords/creditcards/cookies running on Gecko (Mozilla etc.)
A screenshot showing the malware’s capabilities

How to protect yourself

Step 1 — Manage your passwords properly

Back up your passwords with a program like 1Password or Dashlane, and never use the same password twice! Credentials obtained from hacked databases are subsequently being sold on hacker forums. This gives hackers the ability to crack your accounts if you use the same password.

Step 2 — Use Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is a technique of gaining access to an online account or computer system that requires the user to provide two distinct pieces of information.

Step 3 — Use a hardware wallet

Hardware wallets provide you ownership and control over your digital holdings. However, with tremendous power comes tremendous responsibility: running your own bank is not easy and needs discipline. The use of a hardware wallet does not make you immune to social engineering, physical dangers, or human mistakes. Use common sense and fundamental security standards at all times.

Step 4 — Keep your seed phrase safe and secure

After setting up your hardware wallet, you will have to secure the seed phrase that came with it. But how do you do that? Your seed phrase is your responsibility for the safety and availability of your whole wallet.

  • Do not store it anywhere digitally on your computer or phone
  • Never share your seed phrase with anyone

Step 5 — Enable file extensions

It is a good idea to configure Windows to display file extensions for security reasons. For example, the .exe file extension is one of many that Windows uses as a program. If you can’t see the extension of a file, it’s difficult to know whether it’s a program, a safe document, or a media file. Hackers can modify the icon of a program so please enable this setting.

At the upper right, click the dropdown icon shown by a red box
Go to “View” and enable “File Name Extensions” and optionally “Hidden Items”

Step 6 — Do not trust email domains blindly

Email domain names can be faked by an attacker and reach your inbox when sent correctly. These emails will not appear in the spam folder. You need to learn to read email headers to ensure that the email comes from a trusted domain. Click here to learn more about how to read email headers.

Step 7 — Install antivirus software

Antivirus software is a data security tool that is installed in a computer system to defend it against viruses, spyware, malware, rootkits, trojans, phishing attacks, spam assaults, and other online cyber threats.

Step 8 — Be aware of known scams

Scams are taking place everywhere but most of the time on Discord, Twitter, Instagram, and by email. Never send money to someone you don’t know and always verify the source. Don’t trust, verify.

I’m hacked! What happens now?

If you opened and executed the SRC or EXE file on your computer and your credentials were compromised, here’s what you should do.

Thank you for reading!

Consider following me on Twitter.

Julien is a 20-year-old digital artist from the Netherlands who uses vivid abstraction to express his thoughts and ideas. ✦ Say hi! ↬ hi@julien.pro