BRATISLAVA, August 8, 2019 – ESET researchers have uncovered malware-distributing spam campaigns targeting people in France. The malicious payload, named “Varenyky” by ESET researchers, comes with several dangerous functionalities. Not only can Varenyky be used to send spam, but it can also steal passwords and can spy on its victims’ screens when they watch sexual content online.
The first spike in ESET telemetry for this bot came in May 2019. After further investigation, ESET researchers were able to identify the specific malware used in the spam’s distribution. “We believe the spambot is under intense development as it has changed considerably since the first time we saw it,” said Alexis Dorais-Joncas, lead researcher at the ESET R&D center in Montreal. “As always, we recommend that users be careful when opening attachments from unknown sources and ensure system and security software are all up to date.”
To first infect their targets, the Varenyky operators use spam with a malicious fake invoice attachment, which lures the victim into “human verification” of the document. After that, the spyware executes the malicious payload. Varenyky exclusively targets French-speaking users located in France. The quality of language used to fool the user is very good, hinting that the operators are fluent in French.
After infection, Varenyky executes the Tor software that enables anonymous communication with its Command & Control server. From that point forward, criminal activity goes into full swing. “It will start two threads: one that’s in charge of sending spam and another that can execute commands coming from its Command & Control server on the computer,” said Dorais-Joncas. “One of the most dangerous aspects is that it looks for specific keywords such as bitcoin and porn-related words in the applications running on the victim’s system. If any such words are found, Varenyky starts recording the computer’s screen and then uploads the recording to the C&C server.”
We have seen fake sextortion campaigns in the past, but this capability could very well lead to real sextortion campaigns. While at the beginning the Varenyky operators didn't leverage this approach, they have started to embrace it since the end of July. Furthermore, the cybercriminals are relying on bitcoin to monetize their wrong.
“Another noteworthy functionality is that it is able to steal passwords through the deployment of an application that we label as potentially unsafe,” says Dorais-Joncas. Other commands allow the attacker to read text or take screenshots.
The spam emails sent by the bot take the victims to fake smartphone promotions, whose sole purpose is to phish for personal information and credit card details. A single bot can send as many as 1,500 emails per hour. Interestingly, the targets of all the spam runs we observed were all users of Orange S.A., a French internet service provider.
For more details on this research, visit WeLiveSecurity.com and follow ESET research on Twitter.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.