Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Facebook Goes to War Against Lecpetex Botnet

Facebook’s Threat Infrastructure team helped law enforcement take down a little-known botnet that may have infected as many as 250,000 computers.

Facebook’s Threat Infrastructure team helped law enforcement take down a little-known botnet that may have infected as many as 250,000 computers.

Known as ‘Lecpetex’, the botnet was detected by Facebook last year. According to Facebook, the botnet was used to blast out spam that impacted close to 50,000 accounts at its peak. 

“In addition, the Lecpetex authors appeared to have a good understanding of anti-virus evasion because they made continuous changes to their malware to avoid detection,” according to the Facebook blog. “In total, the botnet operators launched more than 20 distinct waves of spam between December 2013 and June 2014.”

“Lecpetex worked almost exclusively by using relatively simple social engineering techniques to trick victims into running malicious Java applications and scripts that infected their computers,” the Facebook team continued.

Most of the victims of the operation were located in Greece, Poland, Norway, India, Portugal and the United States. On April 30, Facebook contacted the Cybercrime Subdivision of the Greek police about the case. 

The efforts to disrupt the botnet did not go unnoticed by its operators. In May, Facebook noticed the command and control servers were leaving notes aimed at them, and the encryption keys being used in the malware contained apparent messages such as ‘IdontLikeLecpetexName.’

Between May and June, Facebook began adding backend measures to disrupt the botnet. On July 3, the Greek police had placed two suspects were in custody, and the malware’s authors were in the process of establishing a Bitcoin “mixing” service to help launder stolen Bitcoins when they are arrested.

“Fundamentally, the Lecpetex botnet is a collection of modules installed on a Windows computer that can steal a person’s online credentials and use that access to spread through private messages,” according to Facebook. “Along the way, it self-installs updates to try to evade anti-virus products and installs arbitrary executables. Our analysis revealed two distinct malware payloads delivered to infected machines: the DarkComet RAT, and several variations of Litecoin mining software. Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems. We saw reports that the botnet was also seeded using malicious torrent downloads, but did not observe this tactic in our research.”

Advertisement. Scroll to continue reading.

Some of the Lecpetex modules – such as the Litecoin mining and DarkComet RAT (remote access tool) used commodity software that can be downloaded from the Web, while others appear to have custom code written by the botnet’s operators.

“Early versions of the malware used hardcoded IP addresses and disposable email sites for command and control,” Facebook explained. “One of the unique aspects of the malware is the use of disposable email providers for command and control. They leveraged sites such as dispostable.com that allow anonymous clients to check a mailbox, which in the case of Lecpetex mailboxes would contain bot commands. Later, as our disruption efforts made it harder to use dedicated hosting providers, the operators switched to sites such as pastebin.com to post their commands on public pages hardcoded into the malware.”

“Staying ahead of the latest threats is a complex job, and Lecpetex was a particularly persistent malware family,” Facebook added. “We hope this example will illustrate that cooperation can be helpful and productive in shutting down botnets, particularly when criminals abuse multiple online platforms to achieve their aims.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.