A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.
First discovered from a post on Reddit where the author stated that they downloaded a file from a porn site named Xvideos. Once ran, it created a ransom note, but did not encrypt any files.
Based on the information in the post I was able to find a sample of the infection and analyze it. While it does not encrypt a victim's files or upload any data to a remote site, it does an adequate job of scaring a victim into paying their blackmail demand.
PornBlackmailer tries to scare you into paying demands
For the duration of this article, I will be calling the infection PornBlackmailer for lack of a better name. Though the string "HowSexWithDolls" was in each of the three samples I was able to find, I cannot confirm that it is a specific name for this infection or just a campaign name.
While I was not able to find the malware actually being offered by any porn sites, I was able to find three different samples, with the first one being compiled on January 8th at around midnight. These samples all ended with the .scr extension to masquerade as a Windows screensaver.
When started, PornBlackmailer will create a folder at %UserProfile%\AppData\Roaming\Robin\server_logs and store various files in it about your computer, your location, copies of your browser history, and four screenshots of your active desktop.
First it will compile information such as your computer name, account name, computer info, and geographic location based on your IP address and network adapter's MAC address. This information is saved in the your_information.txt file.
If it is able to get your geographic region, it will connect to a variety of sites in order to create an image of your location via Google Maps. This information is saved in your_location.jpg.
It then creates copies of your browser cookie files and saves it in the browser-cookies folder.
It then creates four screenshots of your active desktops spread out over about a 10 second period. As this program is downloaded from a porn site, the author is probably thinking that you are still on the porn sites, can catch you in the act, and use the potentially compromising screenshots as further leverage to get the victim to pay.
PornBlackmailer will then change your desktop background to contain information on what happened and how to find the compromising information that was stored in the server-logs folder.
Finally, the blackmailware will create numerous READ_ME.txt files on the Windows desktop that state that the victim was caught in the act of watching and spreading child pornography. It goes on to further state that if a blackmail demand of .1 bitcoins is not paid, the attacker will send your information to the police.
When creating these notes, the infection will randomly use a bitcoin addresses from a list included in the executable. From the available list of addresses, 3 people have paid the blackmail, which is worth about $3,350 USD at today's prices.
The current list of bitcoin addresses used by PornBlackmailer and the amount of payments are:
- 1NziehGLXiEP11f3Ei8WjCXyuTdFZVsL2j - 1 .1BTC Payments
- 1CzrDKSSCSJQgWKPMNCUmk6XM3FJosa6JD - 2 .1BTC Payments
- 1CKpj2r2qLPcK4BL1FpP1MsATCCntLvy5q
- 18AfNuXM1XSyz5zTdm4S87N1HCgM8ni5pW
- 12nkyXjwYrqjDWRnPg4HVhnpfjH84bmtdU
- 1GVTebsPjvFPsRZbZfCMXY4HGobFtMQGAD
- 1P8VNkE5eVxZeDZWDsSJRfD14A46sLr6C4
- 1LoUuj2EkqSiP5U1ejw8KR56dfopgSJuw4
Blackmailware and Scare Tactics may be more efficient than Ransomware
While the amount of payments are fairly low, it does show that this can be effective and efficient way for a criminal to generate revenue. With traditional ransomware, a developer has to communicate with their victims, process payments, manage encryption keys, and manage Command & Control servers.
Blackmailware, on the other hand, just has to paint a convincing enough picture that scares a victim into paying a small demand in order to keep the attacker's mouth shut. Screenshots are especially effective as if they are compromising in any way, could be the tipping point between not making a payment and paying one.
IOCs
PornBlackmailer Hashes:
a3e8b2a7399fd333e965dbc5f463a270efe9d9b35d0e314ec0a5c7a3e0eae4fe
c932638dc6f55ca6e33f0dfc4b09945b19910a1c8bb44934ff22ea6e2cb60653
7e08b7b5f3fec3b3c6099d5ccfc50734c153b7d98f2648961fcb88760396a064
File associated with PornBlackmailer:
%UserProfile%\AppData\Roaming\bg_robin.jpg
%UserProfile%\AppData\Roaming\Robin\
%UserProfile%\AppData\Roaming\temps.exe
%UserProfile%\Robin\
%UserProfile%\Robin\server_logs
%UserProfile%\Robin\server_logs\browser-cookies
%UserProfile%\Robin\server_logs\browser-cookies\firefox-cookies.sqlite
%UserProfile%\Robin\server_logs\browser-cookies\google-chrome-cookies
%UserProfile%\Robin\server_logs\browser-cookies\google-chrome-history
%UserProfile%\Robin\server_logs\desktop_screens\
%UserProfile%\Robin\server_logs\desktop_screens\desktop_[time].jpg
%UserProfile%\Robin\server_logs\desktop_screens\desktop_[time].jpg
%UserProfile%\Robin\server_logs\desktop_screens\desktop_[time].jpg
%UserProfile%\Robin\server_logs\desktop_screens\desktop_[time].jpg
%UserProfile%\Robin\server_logs\READ_ME.txt
%UserProfile%\Robin\server_logs\your_information.txt
%UserProfile%\Desktop\READ_ME.txt
%UserProfile%\Desktop\READ_ME_1.txt
%UserProfile%\Desktop\READ_ME_2.txt
%UserProfile%\Desktop\READ_ME_3.txt
%UserProfile%\Desktop\READ_ME_4.txt
%UserProfile%\Desktop\READ_ME_5.txt
%UserProfile%\Desktop\READ_ME_6.txt
%UserProfile%\Desktop\READ_ME_7.txt
%UserProfile%\Desktop\READ_ME_8.txt
%UserProfile%\Desktop\READ_ME_9.txt
PornBlackmailer Network Communication:
maps.googleapis.com/maps/api/geocode/json?latlng=
mobile.maps.yandex.net/cellid_location/?wifinetworks=
iplogger.com/1zHjN6
PornBlackmailer Blackmail Note:
You looked through forbidden children's porn!
Also, you are involved in its spread.
This is very very very bad!
So information about your location (ip, mac, real address) and other needed data (browser cookies, social network links, desktop screens, browser history, passwords)
were collected and sent to our server.
You can see part of data was collected in "C:\Users\User\Robin\server_logs"
in the files "your_information.txt" and your location on map in "your_location.jpg".
Also you can see more other information about you in near folders and cookies files.
All these data was send to the our server in the internet and can not be deleted by you.
All these data and complaints will be automatically forwarded to the special police departments (FBI, CIA, INTERPOL, MVD, FSB) exactly 24 hours after the current moment (this is not joke, automatically proccess).
This will be enough to put you in jail for at least 1 year. Believe me, you are not the first.
HOWEVER, if you send "0.01 BTC" to the address specially generated for you, all your data will also be automatically deleted from our server and you will live peacefully, having received a lesson.
REPEAT: To forget about this incident, you need to send "0.01 BTC" to the bitcoin address (specially generated for you) below. Then all your data will also be automatically deleted from our server.
This is not joke! Your data will indeed be sent to POLICE departments with help of email if you do not send 0.01 BTC.
All process is fully automatic.
Believe me, these pennies do not cost 1 or more years in jail.
-->> Send 0.01 BTC to this address 1CKpj2r2qLPcK4BL1FpP1MsATCCntLvy5q (specially generated for you)
-->> Send 0.01 BTC to this address 1CKpj2r2qLPcK4BL1FpP1MsATCCntLvy5q (specially generated for you)
-->> Send 0.01 BTC to this address 1CKpj2r2qLPcK4BL1FpP1MsATCCntLvy5q (specially generated for you)
If you do not pay, then tomorrow at exactly 9:14:42 AM o'clock your data will be automatically sent to the police emails and posted to public forums.
If you don't know how to buy bitcoin, just type to google "How to buy bitcoins?".
We hope you make the right decision and will sleep peacefully.
The script on the server will automatically delete your data after the payment is received on the wallet.
Comments
Crunkia1 - 3 years ago
hi
LAWRENCE, make sure everyone knows there is no safe site as sites can be prey. i am more a scientist, but have mental illness, and been learning, anyway, stay away from porn sites, don't go near children's sites, know who you are talking to. you can always buy playboy magazine if you need it.
when you type in an address, double check it before you go there, hackers make similar addresses with miss spellings. they ask for your password, and ask for personal info, just as the real site would. next your under fire for hackers.
BEWARE
Crunkia1
rhasce - 3 years ago
Despicable man, this is very bad these people doing this are very sick in the head.
Crunkia1 - 3 years ago
I agree, but innocent people's lives may be destroyed over hackers. not sure how this virus spreads. i remember playstation Network being hacked when i had PS3, it was down for about a month.
Call of duty ROCKS....... Sick people be contained. so much on the internet like the pyramids, get a life
Crunkia1
Slow-botomy - 3 years ago
I say good for em in a sense. Xvideos is a site that distributes pirated and stolen content, taking money away from the people who worked to create them, the actual copyright holders. The people that frequent these sites, and aiding in the theft and blackmarket distribution of stolen goods, and I say they get what's coming to them. Internet piracy is rampant, and if the fear of having to explain to the authorities how the accusations are untrue, and prove it (or heaven forbid they are true) is enough to make someone stop. Well good enough for me. Drop in a bucket, I understand, but it's drops that made the bucket overflow in the first place. Call out the thieves, hold em accountable, hit where it hurts and make them think twice. Smart blackmailers.
Lawrence Abrams - 3 years ago
That's interesting. I had no idea you could download videos from Xvideos. So that explains how it was being offered. Probably as part of a download.
SuperSapien64 - 3 years ago
This is why we need a Crackel of porn. A legitimate free legal (with premium option) porn site.
s1cklyr1cs - 3 years ago
I tried posting before with a different news article and it wouldnt let me post the make a comment or add your comment wasnt available. If your into porn you can watch porn on these sites some of the porn I disagree with (I have reported some porn on xvideos and xnxx sites) but there is alot of porn that is ok. As for downloads he mentioned he downloaded a porn video and it had a dotscr file and he double clicked on it and nothing happened yes something happened he got infected. If you go to download porn make sure your antivirus is active (license hasnt expired or the trial period is over) and completely updated and and the web access protection and real-time file protection are enabled and then download the file.
Also you cant download two files at once unless there zipped up unless you have a mass downloader like something similiar like bulk image downloader but for downloads not images or just a downloader that allows you to click on a download button and download all files at one time. I have never seen a downloa that has two items that is not zipped in a zip file format of some kind and the article doesnt mention anything like a zip file format. If there is a zip file downlad it and extract the files but if there is a dotscr file just delete it and dont open it. I made the mistake once of clicking on a link a guy sent me that was in my friends list on steam I downloaded the file but it was a dotexe and the icon was a picture as if its supposed to be png jpg jpeg bmp or gif extension and it wasnt I double clicked on it same thing happened to me nothing happened on the screen it happened in the background I got keylogged had to call steam and verify my credit card number then I got my account back. Just be careful and stream when possible and if you have to download make sure you have reputable adequate protection enabled and running and delete any files that are downloaded that you didnt intend to download.
Lawrence Abrams - 3 years ago
My guess is that the person tried to download a video and was instead given the .scr file. I agree, never open a .scr file downloaded from a site. Renaming .exe files to .scr is a common tactic used by malware distributors.
Goin2Dover - 3 years ago
I manage a PC sales and repair shop. I love these sites they put bread on the table.
Stupid is as stupid does.
NickAu - 3 years ago
Quote
" That's interesting. I had no idea you could download videos from Xvideos."
Easily done on Chrome and Firefox using a add on, I just tried it. I sometimes download a movie from a streaming site using the add on and have yet to find a site I cant download from.
Please note, While I do sometimes download a movie I always buy the legit DVD when its released. EG all the Game of Thrones series, I do not have cable TV.
Quote
"First discovered from a post on Reddit where the author stated that they downloaded a file from a porn site named Xvideos. Once ran, it created a ransom note, but did not encrypt any files."
Did they click the download link to the video like in my screen shot or use a browser plug in, did they use a third party site? I know theres a trick to downloading youtube videos simply by adding 2 letters after www.?
https://imgur.com/ozmsIHI