Facebook dismantled Lecpetex botnet which infected 250,000 Computers

Facebook in a joint operation with the Greek Cyber Crime Division dismantled the Lecpetex botnet, which infected 250,000 Computers in different countries.

Facebook has announced to have successfully conducted the takeover of the Lecpetex botnet  in Greece. The bad actors operating in Greece were using the popular social media platform for illicit activities, including data stealing, malware distribution and management of spam campaigns. Facebook experts were supported by Greek Cyber Crime Division and police officers.

The operation discovered by the Facebook security team allowed law enforcement to arrest two individuals accused of being the botmasters of Lecpetex botnet, which infected nearly 250,000 computers with a malicious code that was used to steal Facebook credentials and data from victims as well as drop Litecoin mining software.

“The perpetrators were spreading the malicious software using the program Peer 2 Peer, free cracked versions of popular games, songs and films, which they were sending to their victims. They were stealing bitcoins in order to turn them into euros using the digital currency exchangers available on the internet and to collect illegal profits. At the same time, they were stealing passwords for e-mails and bank accounts (e-banking, PayPal etc.) which they entered into a database. They even stole the e-mail password of  Greece’s Ministry of Mercantile Marine.” reported a Greek news report on the Lecpetex campaign.

The Lecpetex botnet infection was mainly located in Greece, but victims were observed in Poland, Portugal, Norway, India and the United States. Experts at Facebook detected a significant increase in spam traffic starting in December, the investigation allowed the law enforcement agencies to identify the numerous command and control servers belonging to the botnet and also test and monetization accounts.

The attackers have evolved their tactic by adopting different methodologies for control of the bots, including dedicated C2, Pastebin, disposable email accounts.

Lecpetex botnet was used to ran out at least 20 different spam campaigns during a period of seven-month stretch ending in June, allowing bootmasters to manage up to 50,000 accounts to spread malware.

“Over the last seven months we saw the botnet operators experiment with different social engineering tactics, including embedding Java JAR files, using Visual Basic Scripts (VBS), and creating malformed ZIP archives and Microsoft Cabinet files (CAB),” “The operators put significant effort into evading our attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail. The files used in the spam messages were also refreshed frequently to evade anti-virus vendor detection.” reports Facebook.

The operation is the demonstration that the fight to the cybercrime need a joint effort of private companies and law enforcement as happened in the case of recent takeover Zeus Gameover botnet.

“Staying ahead of the latest threats is a complex job, and Lecpetex was a particularly persistent malware family,” “We hope this example will illustrate that cooperation can be helpful and productive in shutting down botnets, particularly when criminals abuse multiple online platforms to achieve their aims.”Facebook states in an official statement.

The attackers exploited social engineering techniques to trick users into opening an infected .zip attachment, once opened the attachment executes a JAR file, which is used to downloads the Lecpetex module from a file-sharing service, the bad actors used to spread Litecoin mining malware and a version of the DarkComet RAT.

The malicious code also includes a spam module implemented to hijack the victims’s Facebook account with the intent to stealing browser cookies and have the complete control them.

“Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems,” “We saw reports that the botnet was also seeded using malicious torrent downloads, but did not observe this tactic in our research.”Facebook reported. 

As explained by Facebook, the bad actors behind Lecpatex botnet had begun moving off Facebook exploiting classing phishing emails, just before the Greek police arrested two Greek students of informatics.

Pierluigi Paganini

Security Affairs –  (Facebook, Lecpetex botnet)