SettingContent-ms can be Abused to Drop Complex DeepLink and Icon-based Payload

Microsoft’s SettingContent-ms has become a recent topic of interest. In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy, a RAT also used by the Necurs botnet. That campaign was mostly targeting banks in different countries across Asia and Europe.

SettingContent-ms is a recent addition to Microsoft software, first introduced in Windows 10. The contents written on it are in XML format/language and normally these files contain setting content for Windows functions, such as update processes and default applications used to open particular file types. The most common use of this file is to act as a shortcut to open the old Windows Control Panel.

Read more…
Source: Trend Micro