BRATISLAVA – ESET researchers have uncovered malware-distributing spam campaigns targeting people in France. The malicious payload, named Varenyky by ESET researchers, comes with several dangerous functionalities. Not only can Varenyky be used to send spam, but it can also steal passwords and can spy on its victims’ screens when they watch sexual content online.

The first spike in ESET telemetry for this bot came in May 2019, and after further investigation ESET researchers were able to identify the specific malware used in the spam’s distribution. “We believe the spambot is under intense development as it has changed considerably since the first time we saw it. As always, we recommend that users be careful when opening attachments from unknown sources and ensure system and security software are all up to date,” says Alexis Dorais-Joncas, leading researcher at the ESET R&D center in Montreal.

To first infect their targets, the Varenyky operators use spam with a malicious fake invoice attachment, which lures the victim into “human verification” of the document; after that the spyware executes the malicious payload. Varenyky exclusively targets French-speaking users located in France. The quality of language used to fool the user is very good, hinting that the operators are fluent in French.

After infection, Varenyky executes the Tor software that enables anonymous communication with its Command & Control server. From that point forward, criminal activity goes into full swing. “It will start two threads: one that’s in charge of sending spam and another that can execute commands coming from its Command & Control server on the computer,” says Dorais-Joncas. “One of the most dangerous aspects is that it looks for specific keywords such as bitcoin and porn-related words in the applications running on the victim’s system. If any such words are found, Varenyky starts recording the computer’s screen and then uploads the recording to the C&C server,” he adds.

We have seen fake sextortion campaigns in the past, but this capability could very well lead to real sextortion campaigns. While at the beginning the Varenyky operators didn’t leverage this approach, they have started to embrace it since the end of July. Furthermore, the cybercriminals are relying on bitcoin to monetize their wrong.

“Another noteworthy functionality is that it is able to steal passwords through the deployment of an application that we label as potentially unsafe,” says Dorais-Joncas. Other commands allow the attacker to read text or take screenshots.

The spam emails sent by the bot take the victims to fake smartphone promotions, whose sole purpose is to phish for personal information and credit card details. A single bot can send as many as 1,500 emails per hour. Interestingly, the targets of all the spam runs we observed were all users of Orange S.A., a French internet service provider.

For more details on this research, read “Varenyky: spambot à la Française” on WeLiveSecurity.com and follow ESET research on Twitter.