A new Spambot Trojan targeting French people has been discovered that records a victim’s screen when they are using sites related to sex, pornography, and known pornographic sites.
We have all heard about the fake “sextortion” email scams that tell recipients that they have installed software that records them while you are on adult web sites. After a year of these emails being sent out, many people have come to recognize them as a scam.
In a new report by released today by ESET, a new Spambot is about to make things confusing. That is because it has been discovered to record your screen while you are on porn sites or pages with keywords related to sex.
This new Spambot is being named Varenyky by ESET researchers who said they discovered it when they saw an uptick of infections targeting French users in may. This same Trojan was also found by Any.run in June.
“In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France,” ESET said in a new report. “After further investigations, we identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP. We notified them before the release of this publication.”
The Varenyky spambot Trojan is distributed through malspam emails that pretend to be invoices or bills. These emails are worded to try and convince the user to open malicious Word attachments.
When a user opens the attachment and enables its content, a Word macro will check to see if the language configured in Windows is French (fr-FR), and if not, will not install any malware.
On the other hand, if the computer is configured to that language, it will download the spambot and execute it. The downloaded malware also has a language check, but this time it is looking only for the English or Russian language, and if detected, will terminate the malware with the following error.
If the malware passes the language checks, it will now be configured to start automatically on the victim’s computer.
Once running, the Trojan will connect back to it’s command & control server over Tor to get instructions on what spam to send. These spam emails target customers of the French ISP Orange telecommunications company and contain links that redirect recipients to scam sites like the ones below.
It will also routinely connect to the malware’s command & control servers over Tor where it will get commands to execute or other programs to download.
According to the ESET researchers, they have seen this Trojan having the ability to execute batch files, executables, and PowerShell commands. Some variants will also download NirSoft’s legitimate WebBrowserPassView and Mail PassView tools in order to steal browser and email account passwords, which are then sent back to the C2.
Recording your screen when on adult sites
At one time the Trojan included the feature to monitor your web browser for browser window titles related to sex such as sexe, xxx, or webcam, or pornhub, as well as words related to bitcoin and hitler.
If it detected you were browsing a web page whose title contained one of the above words, it would use a downloaded FFmpeg executable to record your screen. The recorded videos would then be sent back to its command & control server via a downloaded Tor client.
It is not known if these videos were being created for the attacker’s curiosity or if there were plans on using it for sextortion emails against the victims.
“These videos could have been used for convincing sexual blackmail; a practice called sextortion. It’s unknown if these videos were recorded out of curiosity by the author(s) of the spambot or with an intention to monetize them through sextortion. “
Although the Varenyky Trojan had the ability to record these videos, ESET has seen no indication that they have been used in an actual sextortion campaign against the victim or others.