That ‘anonymous hacker’ that claims to have recorded you through your webcam while you browsed an adult-themed website is undoubtedly just trying their luck. Yet, following the discovery of malware designed to record the screen of its victims while they’re browsing pornographic websites, that may not be the case for much longer.
Researchers from cybersecurity firm ESET discovered the spam campaign, which targets French speakers, in May this year, and have been studying it since to understand what it does and its creator’s likely intentions.
The mass-spam campaign uses fake invoice attachments, which the recipient is asked to verify. Upon opening this attachment, a malicious payload is executed and the malware is installed on the victim’s system.
The malware then downloads the Tor browser to enable anonymous communication with its Command & Control server.
Named Varenyky by the researchers, the malware adds the system to a botnet network used to send out as many as 1,500 spam emails per hour, detailing fake smartphone promotions. These emails link to phishing websites designed to trick victims into entering their credit card information. According to ESET, the targets of these emails are customers of French internet service provider Orange S.A.
Varenyky malware: A potential sextortion campaign?
More worryingly, Varenyky is capable of recording keystrokes on the system, as well as record the victim’s screen.
“One of the most dangerous aspects is that it looks for specific keywords such as bitcoin and porn-related words in the applications running on the victim’s system,” Alexis Dorais-Joncas, a leading ESET researcher, explained.
If these keywords are detected, the Varenyky malware begins recording the user’s screen. These recordings are then transferred back to the malicious actor’s Command & Control server.
While sextortion scams – a technique used by cybercriminals to convince individuals to pay a ‘ransom’, where the cybercriminal threatens to release compromising video footage of the individual if they don’t pay – are largely just that, ESET says that Varenyky’s capabilities could “very well” lead to real sextortion attempts in the future.
ESET notes that, while the malware’s operators didn’t initially leverage this approach, they have embraced it since the end of July. Considerable changes made to its spambot suggest that the campaign is still under “intense development”, and with them relying on bitcoin extortion to monetise their activity, sextortion could very well be a technique that they turn to.
Cybercriminals are already making use of personal data compromised in past breaches to make their sextortion campaigns more believable, and ESET has seen evidence of payments being made to bitcoin wallets associated with such campaigns. Adding screen recordings to the mix would provide cybercriminals with another tool to convince their victims to hand over large amounts of money.
It goes without saying, but alongside its research ESET has issues a reminder to internet users to exercise caution when interacting with emails, particularly when they come from unknown sources.
“As always, we recommend that users be careful when opening attachments from unknown sources and ensure system and security software are all up to date,” Alexis Dorais-Joncas said.