Orange you happy to be a customer? Spammy sextortion malware only targeted French ISP

Sextortion is bad. Malware is bad. Spam is bad. Unhappily for a French ISP's users, online crooks combined all three in a hideous attempt to extort cash with custom malware that records their on-screen doings, according to infosec researchers.

In a curious evolution of online attempts to scam people, the Varenyky malware being tracked by Slovakian anti-malware company ESET briefly included a screen-recording feature that scanned for particular pornography-related terms before recording what was on screen.

During a presentation at the company's HQ in Bratislava, ESET's Ondrej Kubovic described how the malware "was able to record what was going on on the screen. Not everything but when you opened the tab, specific keywords which were all explicit or sex-related."

Oddly, the malware was written so it would only target customers of the Orange ISP in France, Kubovic told The Register. Operating as part of what seemed to be a multi-stage extortion campaign, Varenyky steals passwords, spies on victims and receives command-and-control messages through Tor.

Varenyky, said Kubovic, is planted through any of the usual email phishing techniques intended to get the victim to click a link or attachment – perhaps pretending to be an invoice from a legitimate supplier. Once opened, the malicious attachment (which tends to be a Microsoft Office document) says it needs macros to be enabled; once the victim does that, the email payload downloads the real malware.

Once in place on the target device, the malware presents the threat text (saying the victim is in trouble with police, or has been filmed doing a private act, et cetera) along with a Bitcoin wallet address.

Kubovic commented that the extortion messages tended to contain "very technical language; RDP, keylogger, authority to access..." and general computing-related terms intended to convince non-techies that they had been comprehensively pwned by an adept attacker.

ESET analysed transactions going through the named Bitcoin wallet and figured out that 123 victims had made a total of 6.5 Bitcoins – around £40,000 – in extortion payments. 3.7 Bitcoins had been withdrawn from the wallets, meaning the criminals had successfully converted £23,000+ into real-world cash.

To speed up extortion payments, the malware authors included a QR code linking directly to the Bitcoin wallet.

"In the end they removed it, we don't know why," said Kubovic. "The only thing that is still missing is the video of yourself, the webcam access. When you look at the code, how Varenyky works, we can see the attackers have the time and money; they could update it and add this capability within days, weeks."

No, it's not a free phone giveaway

The spamming side of Varenyky is aimed at collecting credit card details. Victims receive an email promising them the latest mobile phone (say, a Samsung Galaxy S10+ or an iPhone X) and offering to sign them up for a prize draw.

Kubovic told us that the email links to a "webpage that presents you with a form and asks for your name, last name, email, credit card information. If you want to win this new smartphone, newest brand out there, if you want to win you need to send us $2 and verify it's coming from you."

Of course, it's a scam – and means the criminals have enough of your card details to start making false transactions.

Orange told us: "Orange teams are constantly mobilised to fight against different forms of unauthorised attacks such as these phishing attacks, which target all operators alike.

"The Group is continually monitoring its security systems to defend against the continual development and mutation of these different forms of cyberattacks." ®