Malware Strikes Individuals Searching for Child Pornography

Researchers have discovered a malicious campaign targeting individuals actively seeking child pornography online. Operators of the CryptVPN malware are extorting money from pedophiles.

Hackers have been trying to combat the spread of child pornography in their own way for quite some time. Various malware and ransomware targeting pedophiles began appearing as early as the 2010s. For example, one of the first ransomware of this kind, Anti-Child Porn Spam Protection (ACCDFISA), initially acted as a simple locker that blocked the Windows desktop, but in later versions, it also incorporated file encryption.

One can also recall the high-profile attack on the darknet hoster Freedom Hosting II that occurred in 2017. This compromise affected 10,613 .onion sites, impacting 15-20% of the entire darknet. The hackers claimed it was retaliation for the widespread distribution of child pornography.

According to an article by Bleeping Computer, last week cybersecurity researcher MalwareHunterTeam discovered a sample of the executable file of the CryptVPN malware, which targets pedophiles.

Upon analyzing the malware, researchers concluded that hackers created a fake website posing as UsenetClub, a subscription-based service supposedly providing uncensored access to images and videos from Usenet. Unfortunately, Usenet is indeed considered a known source of child pornography in today’s world.

The fake hacker website offers three subscription levels. Two paid subscriptions range from $69.99 per month to $279.99 per year, and a third option supposedly offers free access, but requires users to install the free CryptVPN software for access.

If a user downloads the CryptVPN.zip archive from the website, they will find a shortcut inside labeled CLICK-HERE-TO-INSTALL, which is actually an executable PowerShell.exe file with arguments to download the CryptVPN.exe executable file, save it as C:\Windows\Tasks.exe, and execute it subsequently.

The malware’s executable file is packed with UPX, but upon unpacking, it contains a PDB string indicating that the author named the malicious program PedoRansom.

Researchers state that the program itself is not particularly noteworthy: it simply changes the victim’s desktop wallpaper to a ransom message and leaves a similar note with a ransom demand in a README.TXT file.

The message reads: “You were searching for materials related to the exploitation of children and/or sexual violence against them. You were stupid enough to get hacked. We have collected information about you, and now you must pay us a ransom, or else your life is over.”

Furthermore, the note states that the individual must pay $500 to the bitcoin address bc1q4zfspf0s2gfmuu8h5k0679sxgxjkd7aj5e6qyl within ten days, or their information will be “leaked.” Currently, only $86 has been received at this address, and researchers doubt that the CryptVPN operators will be able to “earn” much more.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment