It has long been true that sextortionists really had nothing on their intended victims. No video, no screen captures, nothing at all beyond shame and an uneasy conscience. Unfortunately there are some unpleasant signs that this may be changing.
ESET has discovered a spambot active against targets in France that appears to be carrying a payload with an unusual combination of functionalities.
The malicious campaign, which ESET calls “Varenyky,” contains both a password-stealer and a hidden desktop apparently arranged to capture a user’s screens while they’re viewing adult content, as flagged by a small set of keywords. Most recently the malware uses just one, the French word “sexe.”
The spambot-driven phishing campaign, which targets customers of the Orange S.A. ISP, takes a conventional and reliable approach. It emails a Word document pretending to be a bill, and it asks the user to take certain steps to authenticate the bill for their security. Those steps involve enabling malicious macros, which then install the malware.
The phishing scam is unusually convincing, written in idiomatic French and expressing signs of concern about user security. Varenyky’s controllers also take some pains to target only French users. Not only does it screen for the French language, but it also uses a locale identifier in Application.LanguageSettings.LanguageID() to screen out francophone users in countries other than France. Varenyky is not interested in anyone residing in Quebec, Belgium, or Senegal, nor, for that matter, in Lafayette or Lafourche, Louisiana.
Varenyky’s ability to catch users on adult sites is interesting, but this does not seem to its principal purpose. That purpose is information stealing, and redirecting victims to a site that invites them to enter a credit card, which of course the site then steals. It has not yet been used, surprisingly, to embarrass users with their actual visits to adult sites.
But it has been used in conventional sextortion, delivering a bogus threat without the humiliating data to back it up. As ESET’s report puts it, “There are many functions related to possible extortion or blackmail of victims watching pornographic content, but despite having sent unrelated sextortion scam emails, the operator has not leveraged these as far as we can tell.
Many functions have been added and then quickly removed across many different versions in a short period of time (two months). This shows that the operators are actively working on their botnet and are inclined to experiment with new features that could bring a better monetization of their work.”
The sextortion emails even use a French version of the now-familiar English text, “You’re probably asking yourself why you’re receiving this at your OWN email address. Let me explain.”
So all that is old is new again. The shape-shifting forms social engineering can assume are best addressed with new school security awareness training. You can no longer count on the scammers writing their emails in laughably bad French, and probably not in laughably bad English, either. We Live Security has the story: https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/
