Facebook Fights Malware, Calls Greek Police and Wins

lecpetexFor the last seven months, Facebook has been duking it out with an elusive pair of malware authors who’ve been using the social media platform to spread a cryptocurrency mining botnet through spam. Dubbed Lecpetex, the botnet spread from friend to friend through private message spam containing malicious executables and scripts.

Facebook reports that the highest concentration of infection was in Greece, and that Lecpetex infected a total of 250,000 accounts – with an additional 50,000 accounts affected by the botnet’s spam. Lecpetex was capable of the following commands:

  • fbspread (spread via Facebook)
  • fbusernames (use browser cookies to collect Facebook usernames and passwords)
  • ltc (turn Litecoin mining on or off for a group or all)
  • hwinfo (collect CPU, RAM, GPU info from each victim)
  • payload install (arbitrary executable)
  • restart system
  • CoreUpdate (update core module)

Lecpetex’s authors were also capable of the following humor ;):

Hello people.. :) <!– Designed by the SkyNet Team –> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz..

The above was a message FB security researchers retrieved from the bot’s C&C servers, after their counter efforts were launched. Playful though it may be, it wasn’t enough to keep the cybercrooks from being terminated. Soon after Facebook discovered the bot’s concentration in Greece, they contacted local authorities and established a collaborative effort. Today, both malware authors are sitting in jail. Among the confiscated goods, Greek police found evidence that the authors were working on a cryptocurrency “mixer,” the intent of which would have been to launder stolen coins. Additionally, reports indicate that Lecpetex managed to steal an email password connected to the Greek Ministry of Mercantile Marine.

For full coverage and technical analysis, see Taking Down the Lecpetex Botnet by the Facebook Security Team. Also, the Greek Police have a published a PDF slideshow recounting their tale of glory.

At present, Lecpetex is no longer an active threat, however anyone who thinks they may have been infected by the botnet is encouraged to contact Emsisoft Support as soon as possible. Have a great (bot-free) day!