New Virus Records Users of Adult Web Sites: Varenyky

No matter the antivirus your device has, the quick development of technology makes it easier to find a back door to steal information. A new virus found on May 2019 identifies users as they watch adult content, said Canadian cyber security company ESET.


The malware called Varenyky is meant for French users. It records the scream of the devices while the person watches pornography. The malware enters the device by using a spam bot (spam email) that, according to the company, has done nothing but to evolve to avoid its elimination from infected terminals.


The responsible of investigation and awareness of ESET Spain, Josep Albors, said:


“Varenyky is meant for French users, more specifically, users of ISP Orange, and it has filters so it does not affect users from other countries. However, we cannot discard this or other similar threats reach other regions in the future.”



The malware uses the function Application.LanguageSettings.LanguageID to obtain the ID of the language of the victim’s computer. This ID holds the country and language set by the user. The script checks if the return value is 1036 in decimal (or 0x40C in hexadecimal) and, according to Microsoft, this value corresponds to France and French.


This excellent method tricks the automatic sample analyzers and avoids drawing attention due to the limited capacity of setting of the computers the malware will host itself. We have to point out that, by using this specific regional setting identifiers, the malware exclude other French speaking countries like Belgium and Canada, which have their own identifiers.


To infect the victim’s devices, the cyber criminals use spam with and attached malicious file disguised as a fake structure. To open a file is necessary to go over a system verification to confirm it is not a robot, after it the spyware runs a dangerous component.


After the infection, Varenyky runs the software Tor that allows anonymous communication to the cyber criminal’s server. “The threat sends two transmissions: one responsible for the spam email, and another one responsible to run the commands from the command server”, said experts from ESET.

This software shows special danger because it searches key words in the victim’s system, for instance, Bitcoin, or words related to the sexual content. If it finds these words, Varenyky starts recording a video from the computer scream and then uploads this recording into the server.


“Another characteristic from this threat is that it can steal passwords by implementing a program we consider potentially dangerous”, added the researchers. “With the use of other malicious components, they can read the texts or take scream captures of the victim.”


After it, the devices record every time the users enters a web page with adult content, and sends the recording to his contacts. Albors says:


“The malware can record a video of that is happening in the victim’s system and then send it to the criminals. This is possible by downloading a tool called FFmpeg, which has an open code. It allows, among many things, to do said recording and then codify it to occupy less space before being sent.””


Emails sent by a spam bot with fake actions to smart phones for phishing, steal personal information and credit card details. A spambot can send more than 1,500 emails per hour.

ESET has registered several cases of sextortion involving French victims. Hackers contact users and ask for a ransom of €750 in Bitcoins so they do not share the recordings in which they are consuming pornography, allegedly.


“We do not have exact numbers of the victims affected by this malware, although we do know that, until the publication date of this research, seven users agreed on paying the ransom in Bitcoins to the criminals”, explained Albors.


According to ESET, Varenyky only records from the scream of the infected device not the camera. They also explain that so far no stolen content through this malware has been published.


The email claim the author, in this case, the hacker, has gained access to the victim’s computer through a virus it was detected while on adult web site. It also says the victim has a particular taste for pornography and that he, the hacker, has remote control over the device. It also claims to have recorded a video with split scream: one side with the victim’s browser, and another the web cam (if it is on) at the moment of watching adult content.



In addition, it explains that the victim has 72 hours to pay before the video is sent to family members, colleagues or being posted on Facebook, Twitter or other platforms. The message; furthermore, says that modifying passwords, eliminating the virus, sending the computer to repair or to clean will do nothing since the victim’s information is on a remote server. As “prove” of it, the victim can answer yes to the email so the video is sent to six of their most valuables contacts of the victim.


The email finishes with: “this is not a negotiable offer. Do not waste my time or yours. Think of the consequences of your actions.”


This spam bot is not very advanced, but in the context and history around it makes it interesting. We can assume the fact of this attack being directed to France might indicate the hacker knows something about French: reads or speaks the language, in some cases both.


Several functions of Varenyky are related to possible extortions or blackmails meant for victims who consume pornographic content and, despite also having sent emails not related to the sextortion campaigns, as far as it is known, the hackers have no taken advantage of it.

Comments are closed.

Suscríbete a nuestro boletín y recibe en tu bandeja de entrada las últimas noticias sobre Seguridad de la Información. #SomosCiberSeguridad