A new malware campaign is targeting child exploiters in order to lure them into a trap and exploit them.
See also: Lidl recalls PAW Patrol children's snacks because the packaging has a pornographic url
Since 2012, threat actors have been creating a variety of malware and ransomware pretending to be government agencies warning infected Windows users that they were watching CSAM. The malware says in the victims that they have to pay a "penalty" to prevent their information being sent to law enforcement authorities.
One of the first "modern" malware campaigns, called Anti-Child Porn Spam Protection or ACCDFISA, used this blackmail tactic in conjunction with the initial lockdown of the desktops of Windows and encrypting files against child exploiters.
Other malware families pretending to be law enforcement authorities soon followed, issuing fines for monitoring CSAM, such as Harasom, Urausy and the Reveton trojans.
Last week, the cybersecurity researcher MalwareHunterTeam shared a sample of an executable malware called "CryptVPN", which uses similar blackmail tactics.
However, this time, instead of targeting innocent people, the malware developer is targeting child exploiters and those actively seeking child pornography.
The malicious actors created a website to imitate the UsenetClub, a subscription service for "uncensored" for images and videos taken from Usenet.
Usenet is an online discussion platform that allows people to discuss various topics on "discussion groups" in which are subscribers. While Usenet is used for authoritative discussion on a wide range of topics, it is also a well-known source of child pornography.
See also: AZORult malware spreads via fake Google sites
A fake website created by the malware campaign pretends to be UsenetClub, offering three subscription levels for content of the site to trap child exploiters. The first two are paid subscriptions ranging from 69,99 $ per month up to 279,99 $ per year. However, a third option claims to provide free Accessed at after installing a free software "CryptVPN" and use it to access the website.
Clicking on the button "Download & Installation" will download a file CryptVPN.zip from the website which, when exported, contains a Windows shortcut called "CLICK-HERE-TO-INSTALL“.
This file is a shortcut to the executable file PowerShell.exe with arguments to download the executable file CryptVPN.exe, storage in the C:\Windows\Tasks.exe and execution.
The malware executable is packed with UPX, but when unpacked, it contains a PDB string indicating that the author named the malware "PedoRansom“.
There's nothing special about the malware campaign, as all it does is change the target's wallpaper to blackmail and display a ransom note, with the name README.TXT in the workplace, blackmailing child exploiters.
The blackmail continues by stating that the person must pay 500 $ at Bitcoin bc1q4zfspf0s2gfmuu8h5k0679sxgxjkd7aj5e6qyl within ten days or his information will be leaked. This bitcoin address has received only about $86 in payments right now.
Threat actors use tactics "sextortion" over a long period of time, usually sending mass emails to large numbers of people to try to scare them into paying the ransom they are asking for.
See also: "TicTacToe Dropper" used to distribute malware
What are the best practices to protect against sextortion online?
Firstly, it is vital that you maintain your privacy in the internet. This can be achieved by setting privacy preferences on social media, avoiding revealing personal information publicly and using pseudonyms instead of your real name. Second, you need to be careful with the photos or videos you share online. Even if they are private, they may end up in the wrong hands. Avoid sending sensitive or revealing photos. Third, it is important to use strong and unique passwords for all your accounts. This can help to protection from the Oversight of your account and the theft of personal information. Fourth, you need to be careful with the people you know online. Do not trust strangers easily and always confirm their identity before sharing personal information.Finally, if you are a victim of sextortion, it is important to report the incident to the authorities. Do not be ashamed or afraid to ask for help.
Source: bleepingcomputer
