Are you a regular Brazzers, PornHub visitor? A new malware is able to wait and start recording when you visit those sites

Extortion via the Internet has become a recurring problem for users with less knowledge or practices related to information security. In recent days, researchers at security firm ESET revealed the existence of Varenyky, a new malware that takes this practice to levels never seen before, as it has the ability to put millions of users in a compromising situation.

In the company’s report, it is claimed that Varenyky is able to monitor the activity of the infected device, even in latency, waiting for the victim to enter pornographic swebites to start recording this activity and use the material as blackmail and obtain money. The first reports of this malware emerged last May in France, where most Varenyky infections have been concentrated; according to experts, the malware seems to be especially focused on attacking Orange’s customers on French territory.

According to the report, hackers deliver the malware using a malicious Microsoft Word file sent to Orange clients via email. “Once the user interacts with the attachment, a macro is run to verify that the user is in French territory, otherwise the malware is removed without leaving a trace on the targeted system”. Experts add: “Later, Varenyky connects to its command and control server to install the payload and steal passwords or even spy on the victim’s computer, using FFmpeg to spy on the screen when it detects an adult website activity,” information security experts add.

When the malware detects the use of words related to this type of content (PornHub, Brazzers, among many other keywords) the FFmpeg executable starts recording the user’s screen to send this file to the C&C server, exposing the victims to blackmail, practice commonly called “sextortion“.  

Operators of this campaign are sending more than a thousand spam emails every hour announcing a fake contest to win brand new smartphones and other gadgets. In the message, the perpetrators ask victims for some personal data, such as name or alternate email addresses, even payment card details have been requested. Hackers seem to do this with all potential victims, regardless of whether they get material to perform sextortion.

“This is a particularly intriguing attack variant, as it mixes practices such as phishing, information theft and online blackmail; in addition, the fact of focusing only on Orange users in France speaks of a very specific and well-structured cyberattack scheme, albeit for obvious reasons, the ability to spy on visits to pornographic sites by the victims is the most striking feature of Varenyky’s attacks,” information security specialists mention.

Although ESET researchers have been able to confirm that, indeed, users infected with Varenyky could become victims of sextortion, information security specialists from the International Institute of Cyber Security (IICS) say that, so far, there is no evidence that campaign operators have disclosed some embarrassing video about users’ pornography consumption habits in France.