Varenyky

When you hear the word Varenyky, an image of a bowl filled with Ukrainian dumplings might pop up in your head instantly, but this is not what we are writing this report about. Instead, we are reporting a malicious Trojan that is likely to become more prevalent in the future. Of course, it is always possible that the attackers behind it will abandon the infection, but from what we have seen, it is likely that the attackers are only gearing up. Hopefully, our prediction is wrong and Windows users do not need to face this threat. However, it has been attacking Windows users in France since the summer of 2019, and it is possible that it could cross over to other regions and start attacking systems on a larger scale. In this report, we show how to remove Varenyky, as well as how to protect the system and yourself against this threat in the future. If you are interested, please continue reading. Also, do not forget to add questions or comments below if you want to continue the discussion.

Thus far, Varenyky has been terrorizing Windows users in France, who have been receiving fake emails containing the launcher of the threat. This method of malware distribution is quite common these days, and cybercriminals use it to spread ransomware and, of course, Trojans, which is what Varenyky is classified as. It is not hard to fool gullible users with misleading email messages. All that the attacker needs to do is to create an intriguing subject line and a convincing message inside. In some cases, they are even capable of mimicking legitimate email addresses to fool people. If you are tricked into opening what looks like a document file, and then you enable macros, the dangerous Trojan is executed without you even knowing about it. This is why it is best to delete all strange and unexpected messages without even opening them. For example, if you are told that you won a lottery, but you do not remember participating in one, you are definitely being scammed. Once executed, the Trojan is dropped to %APPDATA% and %TEMP% directories. The malicious files in these directories must be removed ASAP.

After successful execution, Varenyky is supposed to start gathering data. It is likely to record some data about the computer, the operating system, and the user. Then, it might send it to a remote server, where the attackers can analyze it and use it for whatever they might need it for. The most important task, however, is to monitor users’ activity to check when they visit adult websites. Once the infection detects that the user is watching adult content, it starts recording them via the integrated camera. Needless to say, if Varenyky invades a computer without a camera connected to it, this does not happen. It was found that the Trojan has been sending the so-called sextortion emails to random email accounts. The emails are meant to convince the recipients that they were recorded and that they need to do something (most likely, pay money) in return for the recordings to remain private. At the time of research, the Trojan was sending this message randomly, but it is possible that, in the future, the attackers could connect the recordings to the actual people in them. In that case, the victims could start obeying the demands of the attackers. Of course, we hope that this does not happen.

You do not need to identify malicious files within the %TEMP% directory because all files can be deleted. When it comes to the files in the %APPDATA% directory, it is crucial that you identify the malicious ones because you do not want to end up deleting harmless files. If you do not think that you can delete Varenyky manually, we strongly recommend employing anti-malware software. It will automatically detect and remove every single malicious file, and, at the same time, your operating system’s security will be taken care of. While you might be most worried about the removal of the Trojan at this time, securing the system is the most important task because vulnerable systems are the first ones to get hit by malware. Once you remove Varenyky, make sure you change passwords and look out for suspicious activity because you do not know what kind of information the attackers could have gathered already.

Varenyky Removal

1. Simultaneously tap Win+E keys to launch Explorer.
2. Enter %TEMP% into the bar at the top.
3. Tap Ctrl+A keys to select all files and then tap the Delete key.
4. Enter %APPDATA% into the bar at the top.
5. Identify the malicious files and Delete them.
6. Empty Recycle Bin.
7. Perform a full system scan to check for the leftovers of the Trojan or other malicious threats.