ESET experts warned that since May 2019, French users have been attacked by Windows malware Varenyky, which not only sends spam from infected machines, but also records everything that happens on victims’ computers when they visit porn sites — Varenyky spies on porn sites users.
Varenyky spreads according to the classical scheme – through malicious emails that supposedly contain some important invoices. In fact, of course, there is no accounts in investments, and malware penetrates users’ machines in this way.The main goal of Varenyky is to send spam that targets French users (mainly aimed at the clients of the Internet provider Orange SA).
“This spambot is not very advanced, but the context and story around it make it interesting. Many functions have been added and then quickly removed across many different versions in a short period of time (two months). This shows that the operators are actively working on their botnet and are inclined to experiment with new features that could bring a better monetization of their work”, — report in ESET.
As a rule, malware spread by links to suspicious promotions that supposedly allow winning expensive smartphones. To participate in such a “draw” the user, of course, needs to enter a lot of personal data, including name, address, city, email address, phone number and bank card information.
However, in late July, Varenyky began to send out other messages related to “sextortion.”
Note: The term sextortion derived from the words “sex” and “extortion” and is used to indicate such activity.
In such messages, Varenyky operators claim that they infected users’ computers while visiting adult sites, recorded everything on video and now demand a ransom. Interestingly, these statements are only partially false.
The fact is that Varenyky, of course, does not follow random recipients of spam emails, but really has a hidden function that looks through the window titles and looks for words related to pornography, for example, the French “sexe”. Then, using the FFmpeg library, the malware records everything that happens on the user’s screen. That is, this function should work when a user visits adult sites. The video recorded in this way is transmitted to the control server of the malware, located on the Tor network.
What then the malware operators do with the received video is unknown. ESET analysts note that as Varenyky is under development, malware now has new features, and old ones are deleted. Because of this, it is difficult to understand why Varenyky’s operators collect such videos (allegedly virus writers can do this for fun or simply of curiosity).
Read also: The new version of the banking Trojan TrickBot “kicks off” Windows Defender
It is also possible that in the future, attackers plan to blackmail Varenyky victims with recorded videos, extorting money from them. The fact is that Varenyky operators can easily associate recordings with the real identities of users. To do this, the malware has another hidden function that extracts usernames and passwords from browsers and email clients. All this data is also transmitted to the management server.
And if Varenyky developers ever decide to ransom money from users, they will know exactly where and to whom to send a compromising record about a visit to a porn site.
Recomendations:
ESET recommends that people be careful when they open attachments from unknown sources. Keep system as well as security software up to date.
