Home News Spambot Targets France: 'Bitcoin' and Porn-Related Keywords Trigger Screen Recording

Spambot Targets France: ‘Bitcoin’ and Porn-Related Keywords Trigger Screen Recording

TL;DR: Slovakia-based cybersecurity company ESET published an in-depth examination of a spambot scheme they’ve named Varenyky, which can “scan the title of the open windows on the computer. If the malware found a porn-related word in French or the word ‘bitcoin’ in the title of a window, it sent the window’s title to its C&C server.”   

Spambot Targets France

Varenyky: Spambot à la Française, ESET researchers document malware-distributing spam campaigns targeting people in France unveiled malware spam that steals passwords, spying on screens as users’ view sexually explicit content. Researchers “observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, we identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP.”

The timeline begins in May of this year when the ESET team discovered the spambot, noting not much fuss was initially made about it. By late July however, “researchers saw it launch its first sextortion scam campaign,” stealing passwords, spying “on its victims’ screen using FFmpeg when they watch pornographic content online, and communication to the C&C server is done through Tor, while spam is sent as regular internet traffic,” the report explains.

Spambot

They also described its threat as ongoing and the bot “under intense development,” recommending online surfers in France especially develop a healthy skepticism toward opening attachments, and keep their software up-to-date. Varenyky’s infection comes by way of a false invoice in need of human verification, which triggers the malware’s payload, executing Tor software anonymously through a command-and-control server (C&C).

Researchers were critical of the spambot’s design, calling it “not very advanced,” suggesting “the Word document showed us a lack of attention in the operator’s work. In the macro, the operator forgot to change the value of the test_debug variable, which means that the malware will be downloaded whatever the language ID is (French or not French).” The good news is “despite having sent unrelated sextortion scam emails, the operator has not leveraged these as far as we can tell,” though “functions have been added and then quickly removed across many different versions in a short period of time (two months). This shows that the operators are actively working on their botnet and are inclined to experiment with new features that could bring a better monetization of their work,” ESET warned.

DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH. 

SpambotCONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.

DYOR: CoinSpice is your home for just spicy crypto things. We’re not affiliated with any cryptocurrency project or token. Each published piece is intended for information purposes only, not investment advice and not in the hope of impacting speculative markets. There are plenty of trading sites and coin-specific advocacy journals out there, we’re neither. CoinSpice strives for rigorous accuracy in our reporting. Information presented here is contingent usually on a host of factors, and the ecosystem moves fast — prices change, projects change, and at warp speed. Do your own research.