Facebook's announcement of Lecpetex shortly

Read the Facebook announcement regarding the Lecpetex moment ago! Facebook tried to stop Lecpetex for about 7 (!) Months without results!

You can read the overall Facebook communication / analysis [here]

The Threat Infrastructure team at Facebook analyzes threat information from all over the web to help keep people on Facebook safe and secure. We build platforms like ThreatData and work closely with our abuse-fighting teams to stay a step ahead of people who try to use Facebook's popularity and reach for bad intentions. Over the last seven months we battled and ultimately helped bring down a little known malware family known as "Lecpetex" that attackers were attempting to spread using Facebook and other online services. We coordinated with several industry partners in disrupting the botnet and proactively escalated the case to law enforcement officials. This post covers the interesting technical elements of the malware and describes our role in taking down the botnet.

Outline

1. History and overview
2. Mechanics of the Lecpetex botnet
3. Facebook helps take down the botnet
4. Malware technical detailsDelivery techniques (JAR + VBS + Dropbox)

a. Malware technical detailsDelivery techniques (JAR + VBS + Dropbox)
b. Malware string payload obfuscation (AES128 + SHA1)
c. C2 methodologies (dedicated C2, Pastebin, disposable email accounts)

History and overview

Late last year, our abuse-fighting teams started to see a distinct new botnet. The attack was given the name "Lecpetex" by our peers at the Microsoft Malware Protection Center. Based on statistics released by the Greek Police, the botnet may have infected as many as 250,000 computers. Those infections enabled those who directed the botnet to hijack those computers and use them to promote social spam, which has hit 50,000 accounts at its peak. As we describe below, there have been several technical features of malware that made it more resilient to technical analysis and disruption efforts. In addition, the Lecpetex authors apparently have a good understanding of anti-virus evasion because they made continuous changes to their malware to avoid detection. In total, botnet operators launched more than 20 distinct waves of spam between December 2013 and June 2014.

Lecpetex worked almost exclusively using relatively simple social engineering techniques to trick victims into running malicious Java applications and scripts that infected their computers. (For more on the success of social engineering being used to induce people to run malicious code, see our recent post about self-XSS).

On April 30, 2014, we escalated the Lecpetex case to the Cybercrime Subdivision of the Greek Police, and the agency immediately showed strong interest in the case. On July 3, the Greek Police reported that the investigation had progressed to the final stage and that two suspects were placed in custody. According to the Greek Police, the authors were in the process of setting up a Bitcoin "mixing" service to help launder stolen Bitcoins at the time of their arrest. More details about their findings are available here.

The heat map below shows the distribution of Lecpetex victims as of June 10, 2014, with the highest concentration of victims found in the vicinity of Greece. Because Lecpetex spread through friend and contact networks, the distribution of victims has tended to focus on specific geographies. From our analysis, the most frequently affected countries were Greece, Poland, Norway, India, Portugal and the United States.

The Greek Police developed the following image to illustrate the botnet's operations as part of a presentation on Lecpetex.

Mechanics of the Lecpetex botnet

To better understand the botnet, here is a bit of additional detail about its capabilities and how the operators used it in an attempt to profit.

Fundamentally, the Lecpetex botnet is a collection of modules installed on a Windows computer that can steal a person's online credentials and use that access to spread through private messages. Along the way, it self-installs updates to try to evade anti-virus products and installs arbitrary executables. Our analysis revealed two distinct malware payloads delivered to infected machines: the DarkComet RAT, and several variations of Litecoin mining software. Ultimately the botnet operators focused on Litecoin mining to monetize their pool of infected systems. We saw reports that the botnet was also seeded using malicious torrent downloads, but did not observe this tactic in our research.

More [here]

According to Facebook, the actions that followed to investigate Lecpetex were:

• December 2013 : First detection messages from GREECE
• April 10-17, 2014: Limit malware action
• April 30: Report to the Greek authorities
• Maine 2014: Malware creators leave messages (?) On malware management pages. Creators use disposable emails and pastebin public websites to test
• May - June 2014: Facebook adds targeted security measures to prevent Lecpetex from spreading
• June 2014: Creators add scatter via e-mail to software due to Facebook's restrictions.
• July 3 2014: EL.AS announces the capture of two young people as the main software developers.

Some points of the announcement need special attention:

• At first, at the end of the announcement, Facebook managers say cooperation can help identify new techniques to help Facebook users. Maybe they should work together with Lecpetex's young creators to enhance the security of the social networking platform.
• No part of the announcement is directed against Lecpetex's creators nor about criminal behavior or malicious actions that have financially damaged Facebook or any user.
• The software was located and analyzed as reported in collaboration with their partners in Microsoft and government agencies & US law enforcement agencies.
• The announcement clearly states that the software had excellent features such as bypassing antivirus and elements that prevented its analysis from experts, a sample of its high level of knowledge. In addition, they manage to override software management by using self-dissolving emails but also via pastebin that had not previously been encountered in other malware.
• At no point do you indicate that you have obtained financial benefit from using the software.

Ο υπεύθυνος για την ανάλυση και τον εντοπισμό του λογισμικού Lecpetex είναι μέλος του Facebook Security team και συγκεκριμένα ο Mat Henley and the Matt Richard, engineers security.Mat Henley on the announcement [here] states that the "Lecpetex did not hit Facebook's infrastructure but user terminals."

The Facebook announcement fully confirms the announcements of EL.AS as published in the relevant press release some days ago.

The conclusion is yours to make!

Secnews.gr