#privacy: Malware that can record computer screens discovered

A new malware has been discovered that is able to record the screen of an infected machine and identify a user who is viewing porn. 

Researchers at IT security company ESET, first observed the malware dubbed “Varenyky” in May 2019. A month later, researchers saw the first malicious document infecting a victim’s computer which had been attached to an email message. 

Following an investigation, it was found that the Malware distributed various types of spam. One of which led users to a survey which redirects them to a dodgy smartphone promotion, whilst another is a sextortion campaign.

A month after first being discovered, researchers had observed the first malicious document which was attached to an email message, infect a victim’s computer. The email, the filename of the document and the contents of it – stresses to the recipients that they have been sent a bill which needs to be open. 

The malware is targeting French users. Within the word document, the macro filters out non-French victims based on the location of someone’s computer as well as downloading and executing the malware. 

The researchers explained that “early versions of the malware could receive a command to download a file and execute it.” However it was noted that hackers constantly edit and add commands to the malware.

The most recent added command has the ability to conduct various tasks such as navigating menus, clicking on the screen, reading text, taking screenshots, minimising, restoring and maximising windows.

One feature that was spotted was that the malware would search for porn-related words in French in a user’s window, and subsequently records the computer screen which is then uploaded to the C&C server after it is recorded. 

“These videos could have been used for convincing sexual blackmail; a practice called sextortion. It’s unknown if these videos were recorded out of curiosity by the author(s) of the spambot or with an intention to monetize them through sextortion.”

However in July, the hackers did deploy a sextortion scam, which is sent via an email, and informs the victim that their computer has been infected as a result of watching porn. The hacker also claims that they have a video of the victim watching the porn.

The researchers concluded:

“This spambot is not very advanced, but the context and story around it make it interesting. We can assume from the fact that it targets France could indicate that the operator has some French understanding, reading or speaking the language, or maybe both. However, the Word document showed us a lack of attention in the operator’s work.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.