A new specimen of “infostealer” malware offers a disturbing feature: It monitors a target’s browser for NSFW content, then takes simultaneous screenshots and webcam photos of the victim.
Sextortion-based hacking, which hijacks a victim's webcam or blackmails them with nudes they're tricked or coerced into sharing, has long represented one of the most disturbing forms of cybercrime. Now one specimen of widely available spyware has turned that relatively manual crime into an automated feature, detecting when the user is browsing pornography on their PC, screenshotting it, and taking a candid photo of the victim through their webcam.
On Wednesday, researchers at security firm Proofpoint published their analysis of an open-source variant of “infostealer” malware known as Stealerium that the company has seen used in multiple cybercriminal campaigns since May of this year. The malware, like all infostealers, is designed to infect a target's computer and automatically send a hacker a wide variety of stolen sensitive data, including banking information, usernames and passwords, and keys to victims' crypto wallets. Stealerium, however, adds another, more humiliating form of espionage: It also monitors the victim's browser for web addresses that include certain NSFW keywords, screenshots browser tabs that include those words, photographs the victim via their webcam while they're watching those porn pages, and sends all the images to a hacker—who can then blackmail the victim with the threat of releasing them.
“When it comes to infostealers, they typically are looking for whatever they can grab,” says Selena Larson, one of the Proofpoint researchers who worked on the company's analysis. “This adds another layer of privacy invasion and sensitive information that you definitely wouldn't want in the hands of a particular hacker.”
“It's gross,” Larson adds. “I hate it.”
Proofpoint dug into the features of Stealerium after finding the malware in tens of thousands of emails sent by two different hacker groups it tracks (both relatively small-scale cybercriminal operations), as well as a number of other email-based hacking campaigns. Stealerium, strangely, is distributed as a free, open source tool available on Github. The malware’s developer, who goes by the named witchfindertr and describes themselves as a “malware analyst” based in London, notes on the page that the program is for “educational purposes only.”
“How you use this program is your responsibility,” the page reads. “I will not be held accountable for any illegal activities. Nor do i give a shyt how u use it.”
In the hacking campaigns Proofpoint analyzed, cybercriminals attempted to trick users into downloading and installing Stealerium as an attachment or a web link, luring victims with typical bait like a fake payment or invoice. The emails targeted victims inside companies in the hospitality industry, as well as in education and finance, though Proofpoint notes that users outside of companies were also likely targeted but wouldn't be seen by its monitoring tools.
Once it's installed, Stealerium is designed to steal a wide variety of data and send it to the hacker via services like Telegram, Discord, or the SMTP protocol in some variants of the spyware, all of which is relatively standard in infostealers. The researchers were more surprised to see the automated sextortion feature, which monitors browser URLs for a list of pornography-related terms such as “sex” and “porn," which can be customized by the hacker and trigger simultaneous image captures from the user's webcam and browser. Proofpoint notes that it hasn't identified any specific victims of that sextortion function, but suggests that the existence of the feature means it has likely been used.
More hands-on sextortion methods are a common blackmail tactic among cybercriminals, and scam campaigns in which hackers claim to have obtained webcam pics of victims looking at pornography have also plagued inboxes in recent years—including some that even try to bolster their credibility with pictures of the victim's home pulled from Google Maps. But actual, automated webcam pics of users browsing porn is “pretty much unheard of,” says Proofpoint researcher Kyle Cucci. The only similar known example, he says, was a malware campaign that targeted French speaking users in 2019, discovered by the Slovakian cybersecurity firm ESET.
The pivot to targeting individual users with automated sextortion features may be part of a larger trend of some cybercriminals—particularly lower tier groups—turning away from high-visibility, large scale ransomware campaigns and botnets that tend to attract the attention of law enforcement, says Proofpoint's Larson.
“For a hacker, it's not like you're taking down a multimillion-dollar company that is going to make waves and have a lot of follow-on impacts,” Larson says, contrasting the sextortion tactics to ransomware operations that attempt to extort seven-figure sums from companies. “They're trying to monetize people one at a time. And maybe people who might be ashamed about reporting something like this.”
I'm married, 32, all student loan debt paid off with six figures in savings. I'm not negotiating with terrorists.
