14 DAY TRIAL // A botnet operated by Greek cybercriminals to mine for Litecoin digital currency has been disabled in a common effort that involved Facebook, law enforcement agencies from Greece and cyber-security groups.
The malware, dubbed Lecpetex, would infect computers through simple social engineering techniques, but the operators behind it would constantly modify it in order to avoid detection.
According to statistics provided by the Greek police, the botnet was composed of more than 250,000 infected machines.
The cybercriminals used the bots in social spam campaigns, which, at their peak, managed to hijack about 50,000 Facebook accounts.
The Lecpetex attack was also observed by Bitdefender, but it appears that botnet operators started their activity before December 2013 and launched over 20 campaigns until June 2014.
Spreading the infection would be carried out through stealing browser cookies in order to get access to the victim’s list of friends. The next step was to send private messages containing a malicious Java archive disguised as an image file.
To increase the chances of the receiver to deploy the executable, the message would contain a text string such as “hahaha” or “lol.”
Once executed, the JAR file proceeds to download the Lecpetex main module from a file sharing service, and injects it into the Windows Explorer process.
The file sharing service was identified as being Dropbox by both F-Secure, in a whitepaper on the malware, and Bitdefender.
The capabilities of Lecpetex included updating of the module from the command and control server, the download of a Litecoin mining tool, a Facebook spamming module, and the download and execution of an arbitrary executable file, identified by Facebook Threat Infrastructure team as DarkComet RAT.
The efforts to take down the botnet did not go unnoticed by the cybercriminals, who left the following message to the security teams: “Hello people.. :) <!– Designed by the SkyNet Team –> but am not the [expletive] zeus bot/skynet bot or whatever piece of [expletive].. no fraud here.. only a bit of mining. Stop breaking my [expletive]..”
Facebook’s analysis of the infection spread puts Greece at the top of the list of affected countries, followed by Poland, Norway, India, Portugal, and the United States.
Based on F-Secure’s own telemetry, 40% of the clients affected by Lecpetex were from Italy, and most surprisingly, 5% of the reported detections were from Brazil.
“Lecpetex’s author(s) took pains to conceal the malware’s presence throughout its installation and execution. For an unsuspecting user, the only major noticeable effect of a Lecpetex infection is a decrease in performance, as the Bitcoin mining silently taking place in the background diverts the machine’s resources,” says F-Secure in the whitepaper.
Two suspects, with the alleged aliases “ferret” and “PEPE,” are believed to be the operators behind Lecpetex botnet and are currently in the custody of the Greek police.