Varenyky is the name of a trojan which operates as a spambot. It is known that this malicious software if installed, records the victim’s screen when a website containing adult content like pornography is being visited. Same applies to some pages with keywords related to sex.

Spambot

A spambot is a program designed to collect or harvest, e-mail addresses from the Internet in order to build mailing lists for sending unsolicited e-mail, also known as spam. A spambot can gather e-mail addresses from web sites, newsgroups, special-interest group postings, and chat-room conversations.

History

A new Spambot Trojan targeting French people has been discovered that records a victim’s screen when they are using sites related to sex, pornography, and known pornographic sites.

We have all heard about the fake “sextortion” email scams that tell recipients that they have installed software that records them while you are on adult web sites. After a year of these emails being sent out, many people have come to recognize them as a scam.

In a new report released today by ESET, a new Spambot is about to make things confusing. That is because it has been discovered to record your screen while you are on porn sites or pages with keywords related to sex.

This spambot is interesting because it can steal passwords, spy on its victim’s screen using FFmpeg when they watch pornographic content online, and communication to the C&C server is done through Tor, while spam is sent as regular internet traffic. This article describes the functionality of the malware.

Varenyky Spambot Trojan Distribution

Varenyky was seen for the first time early in May 2019. At this time, we, unfortunately, cannot tell how it was distributed, but the more recent email phishing distribution and context suggest that the operator has been using this technique since the beginning.

It is known that cybercriminals distribute Varenyky through spam campaigns, they send emails with malicious files attached to them.

One of the examples is a Microsoft Word document that is disguised as some bill (“facture”) or invoice. Once opened, it asks for permission to enable macros commands. Typically, MS Office documents do not enable them without user’s permission. However, if such permission is given, then malicious document downloads and installs Varenyky spambot. However, since Varenyky targets people from France, it checks if the language configured in Windows is French. If not, then the attachment does not install any malicious software.

Once running, the Trojan will connect back to its command & control server over Tor to get instructions on what spam to send.  These spam emails target customers of the French ISP Orange telecommunications company and contain links that redirect recipients to scam sites.

How to avoid Varenyky Spambot Trojan

To avoid installation of Varenyky, it is required not to open files that are attached to irrelevant emails. In our example the file is named “53949248_facture-1.doc”, however, the attachment which is used to spread Varenyky could have different names. One way or another, if an email is sent from an unknown address, its context is irrelevant and it contains some attachment, then it should be ignored. Use Microsoft Office version that was created in the year 2010. These versions have the “Protected View” mode which prevents installations of malware. If you believe that your computer is already infected, there recommend running a scan with Spyhunter for Windows to automatically eliminate infiltrated malware.

Instant Automatic Removal of Varenyky Spambot Trojan

Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Varenyky spambot.

Summary

Name Varenyky Spambot
Threat Type Trojan, Spambot, Screen Recorder
Hoax Cyber Criminals send an email that supposed to contain some invoice or bill.
Attachment 53949248_facture-1.doc
Detection Names

(53949248_facture-1.doc)

Arcabit (Trojan.Generic.D279ECFE), BitDefender (Trojan.GenericKD.41348350), ESET-NOD32 (VBA/TrojanDownloader.Agent.OAW), Kaspersky (HEUR:TrojanDownloader.MSOffice.SLoad.gen), Full List (VirusTotal)
Payload Varenyky might be used to install WebBrowserPassView or Mail PassView tools that could be used to steal passwords.
Symptoms Trojans are designed to stealthily infiltrate victim’s computer and remain silent thus no particular symptoms are clearly visible on an infected machine,
Distribution Methods Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage Stolen banking information, passwords, identity theft, victim’s computer added to a botnet.
Removal To eliminate Varenyky spambot by malware researchers recommend scanning to the computer with Spyhunter.