If you’ve read security blogs for any length of time, you’ll likely be very familiar with the ubiquitous .SCR file.
Malware authors love the .SCR file extension due to “SCR” looking like what many people would associate with the word “screenshot” and / or image files.
Seriously, the technique is practically prehistoric by infosec standards.
Nevertheless, it lives on and scammers are forever trying their luck with links to fake Steam trading images.
Sure enough, screenshots are again being used as the theme for Malware bait with the following offer of a supposed image file:
The page in question, imagesbox(dot)su, appears to resemble the official LightShot website to some degree (indeed, you can see it appears to be making use of their CSS as per the Urlquery scan). There’s also some social media buttons and a link to an app, but none of the links went anywhere at time of writing.
LightShot is certainly a popular site for scammers to target and / or emulate as of late. In this case, the site offers up IMG_02042015.scr, which users of Malwarebytes Anti-Malware will find we detect as Trojan.MSIL.A (VirusTotal score is currently 26 / 57 , which is sure to change).
If a website is trying to give you an .SCR file under the guise of “It’s an image, honest”, it’s time to turn around and walk quickly in the opposite direction.
Using .SCR fakeouts in scams such as the above is a technique that’s been around for so long it’s hard to believe that it keeps reeling in victims, but unfortunately we keep on falling for it. Let’s see if we can make things a little more difficult for the malware authors by not taking the bait.