Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Facebook Goes to War Against Lecpetex Botnet

Facebook’s Threat Infrastructure team helped law enforcement take down a little-known botnet that may have infected as many as 250,000 computers.

Facebook’s Threat Infrastructure team helped law enforcement take down a little-known botnet that may have infected as many as 250,000 computers.

Known as ‘Lecpetex’, the botnet was detected by Facebook last year. According to Facebook, the botnet was used to blast out spam that impacted close to 50,000 accounts at its peak. 

“In addition, the Lecpetex authors appeared to have a good understanding of anti-virus evasion because they made continuous changes to their malware to avoid detection,” according to the Facebook blog. “In total, the botnet operators launched more than 20 distinct waves of spam between December 2013 and June 2014.”

“Lecpetex worked almost exclusively by using relatively simple social engineering techniques to trick victims into running malicious Java applications and scripts that infected their computers,” the Facebook team continued.

Most of the victims of the operation were located in Greece, Poland, Norway, India, Portugal and the United States. On April 30, Facebook contacted the Cybercrime Subdivision of the Greek police about the case. 

The efforts to disrupt the botnet did not go unnoticed by its operators. In May, Facebook noticed the command and control servers were leaving notes aimed at them, and the encryption keys being used in the malware contained apparent messages such as ‘IdontLikeLecpetexName.’

Between May and June, Facebook began adding backend measures to disrupt the botnet. On July 3, the Greek police had placed two suspects were in custody, and the malware’s authors were in the process of establishing a Bitcoin “mixing” service to help launder stolen Bitcoins when they are arrested.

“Fundamentally, the Lecpetex botnet is a collection of modules installed on a Windows computer that can steal a person’s online credentials and use that access to spread through private messages,” according to Facebook. “Along the way, it self-installs updates to try to evade anti-virus products and installs arbitrary executables. Our analysis revealed two distinct malware payloads delivered to infected machines: the DarkComet RAT, and several variations of Litecoin mining software. Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems. We saw reports that the botnet was also seeded using malicious torrent downloads, but did not observe this tactic in our research.”

Advertisement. Scroll to continue reading.

Some of the Lecpetex modules – such as the Litecoin mining and DarkComet RAT (remote access tool) used commodity software that can be downloaded from the Web, while others appear to have custom code written by the botnet’s operators.

“Early versions of the malware used hardcoded IP addresses and disposable email sites for command and control,” Facebook explained. “One of the unique aspects of the malware is the use of disposable email providers for command and control. They leveraged sites such as dispostable.com that allow anonymous clients to check a mailbox, which in the case of Lecpetex mailboxes would contain bot commands. Later, as our disruption efforts made it harder to use dedicated hosting providers, the operators switched to sites such as pastebin.com to post their commands on public pages hardcoded into the malware.”

“Staying ahead of the latest threats is a complex job, and Lecpetex was a particularly persistent malware family,” Facebook added. “We hope this example will illustrate that cooperation can be helpful and productive in shutting down botnets, particularly when criminals abuse multiple online platforms to achieve their aims.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.