Hackers Disguise Malware As Screensaver Files In Fake Shipping Email Attack

Cybersecurity firm Symantec has uncovered a phishing campaign targeting industries across Asia, Europe, and the U.S., using fake shipping emails and disguised screensaver files to infect victims with malware.

Attackers pretend to be a major Taiwanese freight and logistics company and send phishing emails in Chinese that look like real shipment updates. The subject line includes detailed shipping info, referencing customs clearance from Kaohsiung to Atlanta on April 7.

The recipients are subsequently asked to verify shipping documents like the ISF, packing list, and invoice. Inside is a malicious file disguised as a Windows screensaver (.SCR). When clicked, it silently installs a malware loader called ModiLoader.

GBHackers notes that the ModiLoader is a known threat that downloads and installs remote access tools and information stealing malware. Symantec has reported that it has been used to drop malware like Remcos, Agent Tesla, MassLogger, AsyncRAT and Formbook.

“While they might appear harmless, they are essentially executable programs with a different file extension. Once executed, these files can perform any action a regular executable can—such as installing loaders, backdoors, keyloggers, or ransomware. As of today, they continue to be heavily used in attack chains,’’ warned Symantec.

The campaign has affected multiple sectors including automotive, electronics, publishing, broadcasting, and manufacturing, and the victims are located in countries such as Japan, the UK, Sweden, the U.S., Hong Kong, Taiwan, Thailand, and Malaysia.

Symantec is fighting the threat by using a variety of protections including machine learning, file scanning, email filtering, and Carbon Black endpoint security. The malware has been flagged under multiple names including Trojan.Gen.MBT and Scr.Malcode!gen19.

Experts urge businesses to educate employees about suspicious emails.