Facebook has steadily made progress on implementing its own security force, including the launch of an in-house threat information network last year. That has now borne new fruit, with the takedown of a botnet known as Lecpetex, capable of stealing social credentials and using unsuspecting machines for mining virtual currency.
“Over the last seven months we battled and ultimately helped bring down a little known malware family…that attackers were attempting to spread using Facebook and other online services,” said the company in a Facebook post (where else?). “We coordinated with several industry partners in disrupting the botnet and proactively escalated the case to law enforcement officials.”
The botnet first showed up late last year, discovered by the Microsoft Malware Protection Center. It’s highest concentration of victims is found in the vicinity of Greece; and because Lecpetex spread through friend and contact networks, the distribution of victims tended to concentrate in specific geographies. From Facebook’s analysis, the most frequently affected countries were Greece, Poland, Norway, India, Portugal and the US. Facebook said that the botnet may have infected as many as 250,000 computers.
Lecpetex worked almost exclusively by using relatively simple social engineering techniques to trick victims into running malicious Java applications and scripts that infected their computers.
“Those infections enabled those directing the botnet to hijack those computers and use them to promote social spam, which impacted close to 50,000 accounts at its peak,” the social network explained. In total, the botnet operators launched more than 20 distinct waves of spam between December 2013 and June 2014.
As for functionality, it's a bit of a mishmash.
“Fundamentally, the Lecpetex botnet is a collection of modules installed on a Windows computer that can steal a person's online credentials and use that access to spread through private messages,” Facebook explained. “Along the way, it self-installs updates to try to evade antivirus products and installs arbitrary executables. Our analysis revealed two distinct malware payloads delivered to infected machines: the DarkComet RAT, and several variations of Litecoin mining software. Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems. We saw reports that the botnet was also seeded using malicious torrent downloads, but did not observe this tactic in our research.”
The malware has several technical features that made it more resilient to technical analysis and disruption efforts. In addition, the Lecpetex authors appeared to have a good understanding of anti-virus evasion because they made continuous changes to their malware to avoid detection.
“Over the last seven months we saw the botnet operators experiment with different social engineering tactics, including embedding Java JAR files, using Visual Basic Scripts (VBS), and creating malformed ZIP archives and Microsoft Cabinet files (CAB),” the company noted. “The operators put significant effort into evading our attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail. The files used in the spam messages were also refreshed frequently to evade antivirus vendor detection.”
On April 30, Facebook escalated the Lecpetex case to the Cybercrime Subdivision of the Greek police, giving them all of the analysis and information that it could gather on it on an ongoing basis. Then, on July 3, the Greek Police placed two suspects in custody, who were allegedly in the process of establishing a Bitcoin “mixing” service to help launder stolen Bitcoins at the time of their arrest.