The Threat Infrastructure team at Facebook analyzes threat information from all over the web to help keep people on Facebook safe and secure.
Over the last seven months the Facebook Threat Infrastructure team battled and ultimately helped bring down a little known malware family known as “Lecpetex” that attackers were attempting to spread using Facebook and other online services.
Late last year, Facebook’s abuse-fighting teams started to see a distinct new botnet. The attack was given the name “Lecpetex” by the Microsoft Malware Protection Center. Based on statistics released by the Greek Police, the botnet may have infected as many as 250,000 computers. Those infections enabled those directing the botnet to hijack those computers and use them to promote social spam, which impacted close to 50,000 accounts at its peak. Several technical features of the malware made it more resilient to technical analysis and disruption efforts. In addition, the Lecpetex authors appeared to have a good understanding of anti-virus evasion because they made continuous changes to their malware to avoid detection. In total, the botnet operators launched more than 20 distinct waves of spam between December 2013 and June 2014.
Lecpetex worked almost exclusively by using relatively simple social engineering techniques to trick victims into running malicious Java applications and scripts that infected their computers.
Fundamentally, the Lecpetex botnet is a collection of modules installed on a Windows computer that can steal a person’s online credentials and use that access to spread through private messages. Along the way, it self-installs updates to try to evade anti-virus products and installs arbitrary executables. Facebook analysis revealed two distinct malware payloads delivered to infected machines: the DarkComet RAT, and several variations of Litecoin mining software. Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems.
Over the last seven months Facebook saw the botnet operators experiment with different social engineering tactics, including embedding Java JAR files, using Visual Basic Scripts (VBS), and creating malformed ZIP archives and Microsoft Cabinet files (CAB). The operators put significant effort into evading Facebook attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail. The files used in the spam messages were also refreshed frequently to evade anti-virus vendor detection.
Lecpetex uses several stages and modules to achieve its objectives, including a first stage downloader, main module loader, main module backdoor, updater, Litecoin miner, and Facebook spam module. Some of these modules such as the Litecoin mining and DarkComet RAT used commodity software that can be freely downloaded from the Internet. Other components appear to have been custom written by the botnet operators to achieve anti-virus evasion and implement a custom command and control architecture.
In May of 2014 Facebook began implementing new back-end changes to counter the botnet software. Coin Fire has learned from sources within Facebook who wish to remain anonymous that some of these changes involved several engineers at Facebook forcibly infecting machines inside the company that were secured via virtual images to intercept the commands and watch for changes to the malware so that the company could better filter out messages and API calls that were used to spread in user’s feeds and messages.
Our inside source at Facebook also confirmed exclusively for Coin Fire that one such technique was looking for specific lines inside the files used for spreading to filter out files scanned by antivirus and antimalware software installed on Facebook servers to eliminate the threat.
We were also able to learn that a small team at Facebook worked nearly exclusively on combating this piece of malware and worked extensively with various law enforcement officials to help track down the operators of the botnet who were later arrested.