New Campaign Uses Screensavers for RMM-Based Persistence
Summary:
ReliaQuest identified a spear-phishing campaign that uses Windows screensaver (.scr) files disguised as business documents to silently install legitimate remote monitoring and management (RMM) software and give attackers persistent, interactive remote access.
The attack chain begins with business-themed phishing emails that link to files hosted on trusted cloud storage services. Victims are prompted to download and run a file such as InvoiceDetails.scr. Although presented as a document, the file is an executable. When launched, it installs an unauthorized RMM agent (observed using tools such as SimpleHelp) with little or no user visibility.
Once the RMM agent is in place, the attackers gain a persistent foothold that supports:
Rather than deploying custom malware, the attackers rely on legitimate remote-access software. This allows the activity to blend into normal IT operations, bypass reputation- and signature-based controls, and significantly slow detection and containment.
Furthermore, screensaver files are a reliable initial-access vector because, despite being Windows portable executable (PE) programs capable of running arbitrary code, they often do not receive the same application-control and monitoring coverage as .exe or .msi files. This gap between how users perceive screensavers and how Windows actually treats them allows attackers to trigger code execution from email or cloud-hosted downloads while bypassing policies primarily tuned for traditional installer and binary formats.
Attackers capitalize on this blind spot by using business-themed filenames and routine pretexts, as seen in this campaign, making it easier to trick users into launching a downloaded “screensaver” and initiating an intrusion chain that installs an unauthorized remote-access agent and enables follow-on activity such as data theft or ransomware.
ReliaQuest observed this activity across multiple customer environments. Although attribution is unknown, the technique is highly repeatable and scalable as attackers can easily swap cloud providers and RMM products while keeping the same workflow.
Suggested Corrections:
To minimize the risk of spearphishing-led installation of an unauthorized RMM agent, and to limit impact if it happens, prioritize the following controls:
https://reliaquest.com/blog/threat-spotlight-new-campaign-uses-screensavers-RMM-based-persistence/
ReliaQuest identified a spear-phishing campaign that uses Windows screensaver (.scr) files disguised as business documents to silently install legitimate remote monitoring and management (RMM) software and give attackers persistent, interactive remote access.
The attack chain begins with business-themed phishing emails that link to files hosted on trusted cloud storage services. Victims are prompted to download and run a file such as InvoiceDetails.scr. Although presented as a document, the file is an executable. When launched, it installs an unauthorized RMM agent (observed using tools such as SimpleHelp) with little or no user visibility.
Once the RMM agent is in place, the attackers gain a persistent foothold that supports:
- interactive remote control and persistence,
- internal reconnaissance and lateral movement,
- data theft and staging for exfiltration, and
- potential ransomware deployment.
Rather than deploying custom malware, the attackers rely on legitimate remote-access software. This allows the activity to blend into normal IT operations, bypass reputation- and signature-based controls, and significantly slow detection and containment.
Furthermore, screensaver files are a reliable initial-access vector because, despite being Windows portable executable (PE) programs capable of running arbitrary code, they often do not receive the same application-control and monitoring coverage as .exe or .msi files. This gap between how users perceive screensavers and how Windows actually treats them allows attackers to trigger code execution from email or cloud-hosted downloads while bypassing policies primarily tuned for traditional installer and binary formats.
Attackers capitalize on this blind spot by using business-themed filenames and routine pretexts, as seen in this campaign, making it easier to trick users into launching a downloaded “screensaver” and initiating an intrusion chain that installs an unauthorized remote-access agent and enables follow-on activity such as data theft or ransomware.
ReliaQuest observed this activity across multiple customer environments. Although attribution is unknown, the technique is highly repeatable and scalable as attackers can easily swap cloud providers and RMM products while keeping the same workflow.
Suggested Corrections:
To minimize the risk of spearphishing-led installation of an unauthorized RMM agent, and to limit impact if it happens, prioritize the following controls:
- Treat Screensavers as Executables: Treat screensaver .scr files as untrusted executable content. Block or restrict execution from user-writable locations (Downloads, Desktop, and Temp). Use robust application control solutions (e.g., Windows Defender Application Control, AppLocker, or equivalent) to allow execution only from trusted, signed, or explicitly approved locations.
- Govern Legitimate RMM Tools: Maintain an approved-RMM allowlist (vendor/product, signing certificate, hashes where feasible). Alert on unapproved RMM agent installation signals, including new services, scheduled tasks, and unexpected ProgramData directories, created after user-initiated execution.
- Reduce Risk from Consumer File Hosting: Block non-business file-hosting services at the DNS or web proxy layer. Where access is required, enforce browser isolation and download policies that restrict executable content (.scr, .exe, .msi) and archives likely to contain them.
https://reliaquest.com/blog/threat-spotlight-new-campaign-uses-screensavers-RMM-based-persistence/