• The threat actors behind the campaign used a malicious document attached to an email to spread the malware.
  • In this campaign, the malware only targets customers of Orange S.A., a French ISP.

A new spambot trojan dubbed Varenyky has been found targeting French users in a new sextortion scam campaign. Researchers have found that the malware is targeting only customers of Orange S.A., a French ISP in the campaign.

How does it propagate?

According to ESET researchers, Varenyky was first discovered in May 2019. The threat actors behind the campaign used a malicious document attached to an email to spread the malware. The email pretends to be a fake invoice bill, stating that a bill of €491.27 is available in the form of a Microsoft Word document.

In order to make it less suspicious, the email states that it requires a ‘human verification’ in order to open the document. Once the victim opens the document to enable the ‘human verification’, macros are enabled by default.

About the macros

The malicious macros serve two purposes:

  • The first is to filter out non-French victims based on their computers’ locale;
  • The second is to download and execute malware.

“The macro uses the function Application.LanguageSettings.LanguageID() to get the language ID of the victim’s computer. This ID contains the country and the language set by the user,” said the researchers in a blog post.

What are Varenyky’s characteristics?

Once installed, Varenyky’s first mission is to send spam to a victim’s mailbox. Then, it executes malicious commands on to the computer.

Researchers note that the malware includes a code that searches for the word ‘sexe’. Once it encounters such a word, it would use the FFmpeg library to record the users’ screen. This would basically happen if users visit an adult site in their browser.

The recorded video is then sent to the malware’s C2 server. Hackers can later use these videos to extort money from victims.

Worth noting

Researchers highlight that this spambot is interesting as it can steal passwords, spy on victims’ screen and communicate with the C2 server through Tor. Thus, users are recommended to be cautious while opening attachments from an unknown sender.

Cyware Publisher