Watch porn? New malware waits until you visit porn site, then starts recording
The Varenyky spambot starts recording your screen whenever you visit a porn website.
Last week, security researchers at ESET revealed their findings of a strain of malware that pushes the trend of sextortion to a whole new level. As the researchers say, Varenyky, as the malware is called, and has been named by its discoverers, monitors activity on infected computers, watches in a dormant state and then as soon as you visit a pornographic state, it starts to record.
As per the researchers, Verenyky was first discovered in May when a malware strike was observed in France. The twist here is that as of now, the malware is designed to target just French computer users with Varenyky being aimed at those subscribed to Orange customers.
This malware is loaded by sending out a fake invoice of Microsoft Word to Orange customers as an email attachment. Forbes explains it as “When those documents are opened, a macro is executed which ensures the computer and its user are indeed French, if not the malware slips away with no damage done. But if the targeted computer ticks its boxes, Varenyky checks back with its C&C to determine what elements of malware to download, executing further macros to install software that can "steal passwords and spy on victims’ screens using FFmpeg when they watch pornographic content online."
When prominent keywords are triggered or websites (including but not limited to PornHub, YouPorn, Brazzers and more) are detected, “the malware records a computer’s screen using an FFmpeg executable—the recorded video is then uploaded to the C&C server." The major risk here is for advanced forms of sextortion or blackmail. As of now, the current findings appear to target the French people in general; there is scope for it to target specific individuals.
As many as 1500 spam emails have been sent per hour with its focus being on” win a smartphone competitions—an iPhone X, a Galaxy S9 or S10." Initially, the victim of this sextortion racket asks for personal information and then it progresses to demand other information such as credit card details as well. This is a broad-brush approach and nothing indicates that it is related to video capture of sex sites.
Forbes states, “Varenyky is interesting because of its specific national targeting and its mix of credential theft and sextortion campaigning. The triggered screen recording, though, is grabbing the headlines. Not because of this particular campaign—there is no evidence of the videos having been used maliciously yet, but because it's a nasty twist on a theme, and we can expect to hear more about it. As ESET warns, "this shows that operators are inclined to experiment with new features that could bring a better monetization of their work."
ESET warns that there are many functions of Varenyky such as "related to possible extortion or blackmail of victims watching pornographic content." Also, the hackers behind the malware are also said to already be in the sextortion business even though, as of now, the videos haven’t been used.