Varenyky Spambot Trojan targets French users in alleged sextortion campaign

A new Spambot Trojan, tracked as Varenyky was spotted white targeting users as part of a new alleged sextortion campaign.

The malware records the victim’s screen when they are visiting adult-related sites. Varenyky was discovered by researchers at ESET in May and reported by Any.run in June.

Interesting sample! It doesn’t run with en-US locale but starts an activity with fr-FR on x64. Tries to connect to email services (25 port) and uses TOR to communicate with C2. What is it?US: https://t.co/t7QfP3d8GVFR: https://t.co/HEUFFXvO95PL: //proapp.icu/ph.exe#malware— ANY.RUN (@anyrun_app) June 4, 2019“In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France,” reads the analysis published by ESET. “After further investigations, we identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP. We notified them before the release of this publication.”

The Varenyky spambot Trojan is distributed through malspam emails that appear to be messages that include invoices or bills. The spam messages come with a weaponized Word document.

When a user opens the document and enables the embedded macro the malicious code first checks if the French language is set in order to download the spambot and execute it.  

The download code halts the execution if the victim PC has the English or Russian language.

Once executed, the Trojan will connect to the Command & Control server over Tor to receive instructions. The spam campaign is targeting  customers of the French ISP Orange and include links that points to scam sites.

The malware is able to perform several malicious activities such as download and execute files and PowerShell commands.

The malware has the ability to update itself by downloading an executable from a specific URL. It is also able to uninstall itself from the computer or to deploy NirSoft’s WebBrowserPassView and Mail PassView tools. These tools are used by the malware to steal web browser and email client passwords. 

Varenyky could monitor the victim’s browser searching for those windows hacking titles related to sex and adult content (i.e. ‘sexe‘, ‘xxx’, ‘pornhub‘ and many others. When these words are present in the title of the windows the malware could record the screen using an FFmpeg executable, then it uploads the video to the C&C server using a downloaded Tor client.

“the malware would record the computer’s screen using an FFmpeg executable that it previously would have downloaded through the Tor network. The video was uploaded to the C&C server after it was recorded. ” continues the analysis.

“These videos could have been used for convincing sexual blackmail; a practice called sextortion. It’s unknown if these videos were recorded out of curiosity by the author(s) of the spambot or with an intention to monetize them through sextortion.”

Although the Varenyky Trojan could record victim’s videos, at the time ESET is not aware of their use in any kind of sextortionactivity.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Varenyky Trojan, sextortion)

The post Varenyky Spambot Trojan targets French users in alleged sextortion campaign appeared first on Security Affairs.