At the end of last week, ESET’s security researchers disclosed the discovery of a new strain of malware that takes the trend for sextortion to a new level. Varenyky, as the malware was named by its finders, monitors the activity on infected computers, watching until a pornographic website is visited, and then starts recording the screen.
According to the ESET team, Varenyky first came to light in May, when a malware spike was identified in France. And this is the other twist with Varenyky—it has been designed to specifically target French computer users. For now.
Varenyky is aimed at Orange customers in France, sending out fake invoices as Microsoft Word attachments to load the malware. When those documents are opened, a macro is executed which ensures the computer and its user are indeed French, if not the malware slips away with no damage done. But if the targeted computer ticks its boxes, Varenyky checks back with its C&C to determine what elements of malware to download, executing further macros to install software that can “steal passwords and spy on victims’ screens using FFmpeg when they watch pornographic content online.
When trigger keywords (a myriad of common and more specialised sexual terms) or websites (including YouPorn, PornHub and Brazzers) are detected, “the malware records a computer’s screen using an FFmpeg executable—the recorded video is then uploaded to the C&C server.” The clear risk is for advanced levels of sextortion or even blackmail. And while the current findings appear relatively generic (at least to the French), there is the potential for the malware to be targeted at individuals.
The spam emails—as many as 1500 per hour have been sent—focus on “win a smartphone competitions—an iPhone X, a Galaxy S9 or S10.” The victim is asked for personal information and then, as the scam progresses, credit card details as well. None of this is related to the video capture of sex sites, it is a broad-brush approach.
Varenyky is interesting because of its specific national targeting and its mix of credential theft and sextortion campaigning. The triggered screen recording, though, is grabbing the headlines. Not because of this particular campaign—there is no evidence of the videos having been used maliciously yet, but because it’s a nasty twist on a theme, and we can expect to hear more about it. As ESET warns, “this shows that operators are inclined to experiment with new features that could bring a better monetization of their work.”
A week ago, I reported that phishing defense specialist Cofense had published more than 200 million email addresses, that the company says are “being targeted by a large sextortion scam.” You can actually search the database for your own email address here. The usual sextortion concept of operations is to take breached email accounts—user names and passwords—and include those in a large-scale mail-out campaign to attempt to trick account holders into thinking they have been compromised, with passwords used as a convincer. It’s a numbers game. Small percentages returning lucrative rewards.
Now there is the potential for the use of video as a twist on what we have seen before—shades of Black Mirror episodes coming to life.
And so, the usual advice pertains. Don’t fall for scam promotions. Think before you click on attachments from unfamiliar senders. Don’t share personal information and definitely don’t share credit card details. And always keep your software and virus protection up to date.
There are many functions of Varenyky, ESET warns, “related to possible extortion or blackmail of victims watching pornographic content.” And the hackers behind the malware are already in the sextortion business even though the videos have not yet been used. ESET reports that Varenyky “is under heavy development and it has changed a lot since the first time we saw it,” which suggests functionality and sophistication will increase.
What we know for sure, though, is that this malware is now out there, and so the risk is very real.