Antivirus maker ESET has discovered a new Windows malware strain that uses infected computers to send out spam campaigns. However, one of this malware’s most peculiar features is a hidden function that records the victim’s desktop when the user visits an adult website.
Named Varenyky, the malware emerged in May this year, and has only been active in France, ESET said.
Primary feature is sending out spam
The group behind Varenyky uses spam emails carrying malicious invoices to infect users. Once on a host, the malware’s primary purpose is to send out spam of its own.
The outgoing spam, targets French users, and only customers of Orange S.A., a French ISP.
For most of the malware’s lifetime, the spam it sent out has usually been emails promoting links to dodgy smartphone promotions. However, in late July, the Varenyky malware also started sending out sextortion emails.
In these emails, the Varenyky malware operators claimed they infected users computers and had recorded them while visiting adult sites. This is false — in a way.
It is false because the malware did not record the recipients of those random emails. It is true because the malware does record users visiting adult sites.
Hidden feature records users on adult sites
ESET researchers said the malware includes code that watches windows titles for the word “sexe” and then, using the FFmpeg library, records the user’s screen. In theory, this function should trigger when a user visits a sex-related site in their browser.
The recorded video is then sent to the malware’s command and control server, located on the Tor network.
What the malware does with these videos is unknown. ESET says Varenyky is still under development, as new features are added and old features are removed at a very rapid pace.
Because of this constant churn of features, it’s unclear what the Varenyky group wants from harvesting these videos.
It may be that sometime in the future, the Varenyky users might actually try to extort users for money using real recordings of victims visiting adult sites.
Furthermore, the Varenyky team will certainly be able to tie each of the recordings to users’ real life identities. This is because the Varenyky malware also includes another hidden feature that extracts usernames and passwords from the victim’s browser and email client, which it also sends to its Tor-based command and control server. If it would ever need to extort a user, it would know exactly where it needs to send that recording.
This is certainly a malware operation that everyone is gonna keep an eye on.
For a technical breakdown of all the malware’s ins and outs, check out the ESET Varenyky report.
Related malware and cybercrime coverage: