U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Facebook dismantled Lecpetex botnet which infected 250,000 Computers

Facebook in a joint operation with the Greek Cyber Crime Division dismantled the Lecpetex botnet, which infected 250,000 Computers in different countries. Facebook has announced to have successfully conducted the takeover of the Lecpetex botnet  in Greece. The bad actors operating in Greece were using the popular social media platform for illicit activities, including data stealing, malware distribution […]

Facebook dismantled Lecpetex botnet which infected 250,000 Computers

Facebook in a joint operation with the Greek Cyber Crime Division dismantled the Lecpetex botnet, which infected 250,000 Computers in different countries.

Facebook has announced to have successfully conducted the takeover of the Lecpetex botnet  in Greece. The bad actors operating in Greece were using the popular social media platform for illicit activities, including data stealing, malware distribution and management of spam campaigns. Facebook experts were supported by Greek Cyber Crime Division and police officers.

The operation discovered by the Facebook security team allowed law enforcement to arrest two individuals accused of being the botmasters of Lecpetex botnet, which infected nearly 250,000 computers with a malicious code that was used to steal Facebook credentials and data from victims as well as drop Litecoin mining software.

“The perpetrators were spreading the malicious software using the program Peer 2 Peer, free cracked versions of popular games, songs and films, which they were sending to their victims. They were stealing bitcoins in order to turn them into euros using the digital currency exchangers available on the internet and to collect illegal profits. At the same time, they were stealing passwords for e-mails and bank accounts (e-banking, PayPal etc.) which they entered into a database. They even stole the e-mail password of  Greece’s Ministry of Mercantile Marine.” reported a Greek news report on the Lecpetex campaign.

The Lecpetex botnet infection was mainly located in Greece, but victims were observed in Poland, Portugal, Norway, India and the United States. Experts at Facebook detected a significant increase in spam traffic starting in December, the investigation allowed the law enforcement agencies to identify the numerous command and control servers belonging to the botnet and also test and monetization accounts.

Lecpetex botnet infection

The attackers have evolved their tactic by adopting different methodologies for control of the bots, including dedicated C2, Pastebin, disposable email accounts.

Lecpetex botnet was used to ran out at least 20 different spam campaigns during a period of seven-month stretch ending in June, allowing bootmasters to manage up to 50,000 accounts to spread malware.

“Over the last seven months we saw the botnet operators experiment with different social engineering tactics, including embedding Java JAR files, using Visual Basic Scripts (VBS), and creating malformed ZIP archives and Microsoft Cabinet files (CAB),” “The operators put significant effort into evading our attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail. The files used in the spam messages were also refreshed frequently to evade anti-virus vendor detection.” reports Facebook.

The operation is the demonstration that the fight to the cybercrime need a joint effort of private companies and law enforcement as happened in the case of recent takeover Zeus Gameover botnet.

“Staying ahead of the latest threats is a complex job, and Lecpetex was a particularly persistent malware family,” “We hope this example will illustrate that cooperation can be helpful and productive in shutting down botnets, particularly when criminals abuse multiple online platforms to achieve their aims.”Facebook states in an official statement.

The attackers exploited social engineering techniques to trick users into opening an infected .zip attachment, once opened the attachment executes a JAR file, which is used to downloads the Lecpetex module from a file-sharing service, the bad actors used to spread Litecoin mining malware and a version of the DarkComet RAT.

The malicious code also includes a spam module implemented to hijack the victims’s Facebook account with the intent to stealing browser cookies and have the complete control them.

“Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems,” “We saw reports that the botnet was also seeded using malicious torrent downloads, but did not observe this tactic in our research.”Facebook reported. 

As explained by Facebook, the bad actors behind Lecpatex botnet had begun moving off Facebook exploiting classing phishing emails, just before the Greek police arrested two Greek students of informatics.

Pierluigi Paganini

Security Affairs –  (Facebook, Lecpetex botnet)