skip to Main Content

Varenyky, a new spambot for sextortion scam campaigns in France

ESET: It’s dubbed Varenyky and it’s a new Spambot Trojan targeting people in France when they are using sites related to sex, pornography, and known pornographic sites

It’s dubbed Varenyky and it’s a new Spambot Trojan targeting people in France when they are using sites related to sex, pornography, and known pornographic sites. It has been discovered by ESET cyber security experts. The malware distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The targets are the users of Orange S.A.. Cybercrime is developing the spambot, as it changed a lot since the first time the researchers saw it. Now it can steal passwords, spy on its victims’ screen using FFmpeg when they watch pornographic content online, and communication to the C&C server is done through Tor, while spam is sent as regular internet traffic.

There cyber security experts: The malware is spread through email phishing

According to the cyber security experts, Varenyky was seen for the first time early in May 2019. At this time, ESET researchers unfortunately cannot tell how it was distributed, but the more recent email phishing distribution and context suggest that the cybercrime operator has been using this technique since the beginning. One month later, in June 2019, they saw the first malicious document that initiates the infection of the victim’s computer, attached to an email message. That email states that a bill of €491.27 is available and attached. The Microsoft Word document filename contains the word “facture” which is a French word for “bill”. 

Cybercrime has “protected” the content of the documents to reinforce the lure

When the victim opens the document, it states that the document is protected by Microsoft Word and “requires human verification”. The content of the document explains how to enable the “human verification”, which, in fact, is how to enable macros. For security purposes, Word macros are not enabled by default and need user interaction to execute. Overall, the email text content, the document’s filename and the “protected” content of the document emphasize to the recipients that they are dealing with a real bill and that they should open it. The quality of the French is very good; overall, the document is convincing.

The spambot targets only the French. There are many controls to filter out all the other countries

The malware at the moment targets only the French. The macro contained in the Word document has two purposes: the first is to filter out non-French victims based on their computers’ locale and the second is to download and execute Varenyky. The macro uses the function Application.LanguageSettings.LanguageID() to get the language ID of the victim’s computer. The script checks if the value returned corresponds to France and the French language. According to ESET cyber security experts, this is a good trick to fool automatic sample analyzers and to avoid drawing attention because of the limited number of computer configurations on which this malware will be installed. Moreover, by using this specific locale identifier, it excludes French-speaking countries other than France such as Belgium and Canada, which have their own identifiers. It also make verifications to filter out people with a keyboard layout in English or Russian.

Back To Top