Varenyky trojan records screens when users are on sex related websites

IT security company ESET has uncovered malicious spam campaigns distributing Varenyky malware that records screens when victims watch adult content online.

Screenshot (79)

The spam campaigns seem to be primarily targeting customers of Orange S.A., a French telecommunications company. Varenyky, as named by ESET’s researchers, monitors infected computers and starts recording screens when users visit pornography websites. In addition to that, Varenyky also starts sending spam with links to malicious pages.

Sextortion scam emails have been landing in users’ inboxes for a while now. They claim to have videos of users watching adult content and threaten to expose pornography viewing habits unless users agree to pay money. While they caused a bit of a panic in the beginning, most users are now aware that this is nothing more than a scam and there are no videos. However, this new Varenyky trojan may make these sextortion emails much more serious.

How does Varenyky spread

The malware seems to primarily target French users at the moment, Orange S.A. customers to be more precise. The trojan is distributed via malicious spam emails, and is hidden in a file that is disguised as a bill or an invoice. The emails are pretty basic, they simply state the attached file is a bill of €491.27. If the file is opened and its content is enabled, a Word macro will check whether French is the set language on the computer. If it’s not, nothing will happen and malware will not install. However, if the language is set to French, a spambot will be downloaded and executed. Interestingly enough, the malware checks language again, and will not install on computers that have language set to Russian or English.

It should be noted that the malicious spam emails distributing Varenyky are fairly easy to detect as spam. The email is void of any personal information like users’ names, and includes a random bill that users have no recollection of. This should immediately raise red flags for many users. As a general rule, users should not be downloading or opening weird email attachments that land in the inbox, particularly if they were unsolicited.

Varenyky sends spam and records screen while users are visiting adult websites

If the malware successfully installs, it will connect to its command & control (C&C) server in order to receive instructions on what spam to send. The spam emails contain links that would redirect users to scams, usually to the sites that claim you have won something.

The most worrying thing about this malware is its ability to start recording when users visit adult websites. The malware monitors the browser for windows with tittles related to sex. The record feature will be triggered by words like “sexe”, “porn”, “xxx”, “pornhub”, “xhamster”, etc. If the triggering word is detected, a FFmpeg executable would be used to record the screen. The recorded videos would be sent to the C&C server.

“One of the most dangerous aspects is that it looks for specific keywords such as bitcoin and porn-related words in the applications running on the victim’s system. If any such words are found, Varenyky starts recording the computer’s screen and then uploads the recording to the C&C server,” says Dorais-Joncas, ESET’s leading researcher.

It’s not yet known what the people behind this malware will do with the videos, but it’s not difficult to guess. What will likely happen is the videos will be used to extort money from victims. So while sextortion emails were generally just scams in the past, this might change in the future.

It should be noted that windows with titles containing the word “bitcoin” will also trigger the recording feature. The recordings would likely be used to access cryptocurrency accounts to steal funds. Varenyky can also steal passwords, read text and take screenshots.