Computer security firm ESET warned about the malware, called Varenyky, that was spread via email and targeted French people.
It is malware and ESET has not penetrated all its secrets. On Thursday, August 8, the company specializing in computer security announced that it detected an email-delivered program capable of recording the screens of Internet users visiting pornographic sites. One peculiarity: The software, which she calls Varenyky, seems to be aimed only at French people. explain.
What does this malware do?
The software, discovered by ESET in May, has gone through several versions. It is able to perform different tasks on the computer it infects.
Record the pictures of netizens browsing pornographic content. When a user of an infected computer opens a window with porn-related keywords (along with the terms “Bitcoin” or… “Hitler”), the software records what happens on the screen and sends it to a remote server.
Send spam. Among other things, infected computers were used to send “phishing” messages to thousands of people. Phishing involves tricking Internet users into stealing personal information. In this particular case, the message sent would encourage the target to click on a link to a page, convincing him that he was about to win a smartphone, provided he provided his name, address, email, phone number, etc. And, of course, his credit card number.
steal passwords. Varenyky is able to steal usernames and passwords from Internet browsers or email management software.
How does it spread?
Varenyky spreads via email. ESET gave an example of the type of email victims received, titled “Invoice”. “Payment for order #656472 of 491.27 euros has just been verified,” the email read, along with the alleged invoice, as a Word document. The recipient of such an order does not remember what worries him and encourages him to open the attachment to learn more. It was her who contained the malware. This one is for Windows.
Who is he targeting?
The software is designed to target French: the ESET team found that it checks if Windows is configured in French and defines France as a country before launching. It also checks the keyboard configuration to exclude English or Russian keyboards. Why are there so many precautions only for the French? ESET offers a tentative explanation on its website:
“Due to the limited number of computer configurations on which this malware is installed, this is a neat trick to fool automated sample analyzers and avoid attracting attention.»
To find out if you are infected, ESET, which manufactures and sells antivirus software, offers an online scanner.
Also, spam sent by Varenyky is only sent to orange.fr (or wanadoo.fr, ancestor of the Orange Internet service provider) email addresses.
Who is the author of this malware?
The few clues available to ESET do not allow it to venture into hypotheses. However, the company highlighted the quality of the French language used in the emails containing the malware, “which may indicate that its operators are fluent in French”.
Even more surprising, the ESET team discovered a page, accessible on the dark web via TOR software, that apparently allowed the malware’s authors to connect to an interface to a remote server that retrieved stolen information. The page has been revised several times, and in different versions, the researchers were able to see that, there, a statue of Marianne with red eyes, the Latin formula “vade retro satanas”, the German sign “Arrêt – Frontière” of the country – forbidden to enter “, Mylène Farmer Fuck Them All’s song auto-start, Serbian beer commercials, photos of Pink Panther censors, connect buttons in Russian… It’s hard to draw any conclusions.
However, ESET notes that the software is “not very developed”. The company found what appeared to be errors in the code, noting a “lack of attention to the work of the operators.”
Did the hackers blackmail their victims?
ESET said it found no evidence that screen recordings were used to blackmail victims. “It is not known whether the videos were made to satisfy the curiosity of the author of [Varenyky] or whether the latter intended to monetize them through ‘sex extortion’ [a practice that involves extorting photos or videos of internet users],” the company wrote. But they “can be used for convincing blackmail”.
In particular, the authors of Varenyky have blackmailed internet users and launched a “sex extortion” campaign via email in July, but according to ESET, this “seems to have nothing to do with” their ability to record internet users’ screens.
The company noted that this “fairly common” and “widely documented” scam involves sending threatening messages to victims. The message indicates that its author hacked into the victim’s computer, recorded his navigation on the porn site, and filmed it via his webcam. The message threatened the victim to reveal the videos to his relatives and social networks unless he paid 750 euros in bitcoin. “Four payments have been made to the bitcoin address used for this scam,” ESET checked last week.
According to ESET, if the emails are not related to the ability to record screens, and if the company has no evidence that this ability has been exploited, it warns users that this could happen. With the ability to send spam emails, screen recordings and steal personal data, the malware’s authors have all the cards for effectively extorting victims.
The cybersecurity firm also insists that the software is “in full development”: “It has changed a lot since we first observed it.»
