Attacks/Breaches

7/8/2014
04:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Facebook Helps Cripple Greek Botnet

Arrests made in Lecpetex malware campaign that was spreading via Facebook, emails.

Facebook today revealed details of how it helped derail a little-known botnet operation out of Greece that was used to steal and mine digital currency and spread via Facebook and Lightcoin mining -- infecting some 250,000 machines worldwide.

Two of the alleged masterminds behind the botnet were arrested in Greece last week for their role in the so-called Lecpetex botnet. The attackers included malware in messages they sent to social network users -- including Facebook users -- which then spread the malware to the infected user's contacts as well.  Aside from mining digital currency via the bots, the attackers also stole email and bank account passwords, including the email address of Greece's Ministry of Mercantile Marine, according to a Greek press report.

Botnet takedowns and disruptions to date have mostly been Microsoft's territory, and many of these cyber criminal infrastructures are traced to Eastern Europe. But Facebook appears to have taken the lead on this one, which hails from Greece, working with Greece's Cyber Crime Division.

Disrupting a botnet's infrastructure is typically a temporary victory, security experts say, as determined cyber criminals will just set up shop elsewhere for their operations.

Facebook's Threat Infrastructure Team said in a detailed post today on the social media site:

Late last year, our abuse-fighting teams started to see a distinct new botnet. The attack was given the name "Lecpetex" by our peers at the Microsoft Malware Protection Center. Based on statistics released by the Greek police, the botnet may have infected as many as 250,000 computers. Those infections enabled those directing the botnet to hijack those computers and use them to promote social spam, which impacted close to 50,000 accounts at its peak.

Lecpetex launched more than 20 different spam runs between December 2013 and June 2014 and relied mainly on luring potential victims via social engineering ploys to run Java applications and scripts that were rigged with malware and infected their machines. Facebook said it contacted the Cybercrime Subdivision of the Greek police on April 30 of this year, which discovered that the alleged Lecpetex authors were setting up a Bitcoin service to launder stolen digital currency at the time of their arrest.

Most of the infected machines were in Greece, but Poland, Norway, India, Portugal, and the US also were big targets of the botnet.

Facebook researchers say the spam messages typically had simple lures like "lol" and a zipped attachment, which, when opened, executed the Java malware. That file then downloaded Lecpetex's main malware file that would allow the infected machine to receive commands to mine Litecoins, download and run the Facebook malicious spam, and download and run other malware -- including DarkComet RAT.

Source: Facebook
Source: Facebook

The Facebook team said:

Once we realized that traditional protections such as anti-virus products would not altogether remediate this threat, we began employing a range of efforts including working with other infrastructure providers and engaging law enforcement. Our team coordinated efforts and used automated tools to extract critical information from the botnet. Ultimately, remediating a threat like Lecpetex requires a combination of technical analysis capabilities, industry collaboration, agility in deploying new countermeasures, and law enforcement cooperation. All of these played an equally important role in our efforts.

The Lecpetex botnet didn't give up without a fight. In May, they began brazenly leaving notes to the Facebook team in their command and control servers: "Designed by the SkyNet Team --> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz.."

Facebook, along with other partners it would not name publicly, in April began to take down Lecpetex's command and control servers and its distribution, testing, and monetization accounts. The social media firm in May launched other targeted disruptions of the botnet, and the botnet operators in June responded with a mass email campaign to infect machines after Facebook made it harder for the malware to spread on the social network.

Lecpetex also used antivirus evasion techniques, and malware delivery via Dropbox.

There were plenty of other creative aspects to the botnet operation. Facebook said:

Early versions of the malware used hardcoded IP addresses and disposable email sites for command and control. One of the unique aspects of the malware is the use of disposable email providers for command and control. They leveraged sites such as dispostable.com that allow anonymous clients to check a mailbox, which in the case of Lecpetex mailboxes would contain bot commands. Later, as our disruption efforts made it harder to use dedicated hosting providers, the operators switched to sites such as pastebin.com to post their commands on public pages hardcoded into the malware.

Users who want to check their machines for Lecpetex infections can do so by visiting this page on Facebook.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 12:54:24 PM
Re: :)
@EffyE925 and @Kelly Jackson Higgins, I love how our comments field is driving new information about a breaking story. Great job both of you!
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:36:29 PM
Re: :)
sent :D
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:24:22 PM
Re: :)
Thanks--would you mind emailing me? [email protected] Thanks!
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:21:49 PM
Re: :)
Since they are already famous in Greece, if you'd like I can give you their lawyer's number for an interview or more information
EffyE925
50%
50%
EffyE925,
User Rank: Apprentice
7/11/2014 | 12:20:00 PM
Re: :)
Yep they were released and charges were dropped since they stole nothing, euros or bitcoins. All they did was BTC mining. Here's is a translated version of a Greek website 

http://translate.google.com/translate?depth=1&hl=en&ie=UTF8&rurl=translate.google.com&sandbox=0&sl=auto&tl=en&u=http://www.secnews.gr/archives/80902
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/11/2014 | 12:05:05 PM
Re: :)
@EffyE925 Are you saying the suspects were released? Are they still being charged? Can you please point me to information on this? Thanks!
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/10/2014 | 4:38:22 PM
Re: Good job
You are right ... Threat intelligence is becoming a crucial discipline to share data on incidents and cyber threats, allowing early detection and adoption of proper countermeasures.

Regards

PL
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/10/2014 | 4:23:44 PM
Re: Good job
I suppose the good news here is that information- and intelligence-sharing is becoming all the rage today, at least in theory if not in practice. Lots of new ISACs showing up. 
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/10/2014 | 4:21:25 PM
Re: Good job
As Kelly I agree, the fight against cybercrime need a joint international collaboration between governments, law enforcement agencies and private companies ... information sharing its another key element.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/10/2014 | 4:04:43 PM
Re: Good job
It always helps when law enforcement located in the nation that houses the criminals cooperates. There are still a few nations who just won't do this, which obviously is why cybercrime is so rampant in their countries.
Page 1 / 2   >   >>
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.