Researchers at ESET have discovered malware-distributing spam campaigns targeting people in France.
Dubbed Varenyky, the malicious payload comes with several dangerous functionalities. Not limited to the sending of spam, it can also steal passwords and even spy on victims’ screens while they watch sexual content online.
The first spike in ESET telemetry for this bot came in May 2019, and after further investigation, researchers were able to identify the specific malware used in the spam’s distribution.
“We believe the spambot is under intense development as it has changed considerably since the first time we saw it. As always, we recommend that users be careful when opening attachments from unknown sources and ensure system and security software are all up to date,” said Alexis Dorais-Joncas, leading researcher at the ESET R&D center in Montreal.
As explained in an ESET blog post, Varenyky first infects victims – exclusively French-speaking users in France – with a fake invoice that lures the target into providing “human verification” of the doc. From there, the spyware executes the malicious payload.
After infection, Varenyky executes Tor software, which enables anonymous communication with its command-and-control (C&C) server.
“It will start two threads: one that’s in charge of sending spam and another that can execute commands coming from its command-and-control server on the computer,” added Dorais-Joncas. “One of the most dangerous aspects is that it looks for specific keywords, such as bitcoin and porn-related words, in the applications running on the victim’s system. If any such words are found, Varenyky starts recording the computer’s screen and then uploads the recording to the C&C server,” he added.
ESET explained that, interestingly, the targets of all the spam runs observed were users of Orange S.A., a French internet service provider.