Varenyky spambot targets French users, records visited adult sites

The new trojan turns the host machine into the spambot that sends out malicious emails and records screens of users who visit porn sites

The newly-discovered Varenyky trojan distributes spam and records users' screens as soon as they enter a pron site

Security researchers from ESET have observed a new malware strain dubbed Varenyky.^[1] The first campaign was first spotted in May 2019, when the infection rate of French users who use Orange S.A ISP rapidly increased. As it turned out, the malware uses the infected Windows computers to send out various type of spam that relates to dodgy smartphone promotion sites and also distributes sextortion scam emails.^[2] The latter feature was introduced on the 22nd of July, which makes it the most recent one, although experts claim that the malware is constantly being changed and improved.

ESET team found the malware particularly interesting, as, besides its main feature to send spam, Varenyky can also record users' screens as soon as they enter a pornographic website:

This spambot is interesting because it can steal passwords, spy on its victims’ screen using FFmpeg when they watch pornographic content online, and communication to the C&C server is done through Tor, while spam is sent as regular internet traffic.

The elaborate scam email campaign

While ESET researchers are not completely sure how the first infections took place, they are speculating that phishing financial emails were used for the distribution of Varenyky trojan since the beginning. They soon found a sample of the spam email that carried the initial payload, which was written in French and included a .doc attachment (MS Word document).

The victims are actively urged to open the attachment, which is allegedly a bill for a certain amount of euros. Once opened, the document explains that it is protected and users need to verify that they are human. In reality, if they proceed with the instructions, they will be enabling the macro feature, which consequently allows infecting the machine with the trojan.

Researchers noted that the phishing email is cleverly executed and the body text sounds extremely convincing. Besides, the French language used is impeccable, without any grammar and spelling mistakes, which are typical to an average scam email.^[3]

Malware uses sophisticated language checking techniques to only infect French users

The malicious macro document has two functions: to deliver trojan's payload and check whether the keyboard of the victim is set to the French language. However, instead of using traditional checks, Varenyky relies on the following function to detect the keyboard language that is set by the user when establishing the Windows operating system:

Application.LanguageSettings,LanguageID()

This allows the malware to exclude other French-speaking countries, such as Canada or Belgium – they use different identifiers. This behavior allows the trojan to avoid automatic sample analyzers and reduces the chances of being spotted by malware analysts.

Additionally, if the malware is delivered to English or Russian users, they are shown a pop-up that claims that the document is not available in the region. After that, the trojan simply exists the computer.

The primary functionality of Varenyky is to deliver spam

Once installed, the malware performs a variety of system changes to gain persistence and start sending spam. Additionally, it will establish a connection with the Command & Control^[4] server to take commands from the attackers, which are executed via the Tor address. This way, hackers could execute PowerShell commands, download and install executables, as well as uninstall its malicious payload.

In the later stages of the campaign, the PowerShell script command was removed, and the new feature added: Varenyky would employ Norsoft's WebBrowserPassView and Mail PassView tools that would steal email and other passwords which are later sent to the remote server for the attackers.

The latest malware version is using FFmpeg executable to start recording the screen as soon as the word “sexe” is used in the title of the browser window. Soon after, the recordings are as well sent to the Command & Control server. It is yet unknown what the purpose of such videos are, but researchers believe that they could be used for sextortion scams later.

However, the primary goal of malware currently seems to be executing spam emails that are sent from the infected user's machine. The recipients are often sent to the scam sites like “Congratulations, you won,” “Win an iPhone X,”^[5] and similar where they are promised an expensive gift, which is allegedly sent out as soon as users provide their personal information like credit card details.